CVE-2026-48745: CWE-940: Improper Verification of Source of a Communication Channel in traccar traccar-client
Traccar Client versions 9.7.19 and below have a vulnerability where a crafted deep link using the org.traccar.client://config scheme can silently reconfigure the app to redirect GPS telemetry to an attacker-controlled server. This occurs without user confirmation or notification and persists across app restarts, enabling continuous real-time tracking of the victim's location. The issue is fixed in version 9.7.20.
AI Analysis
Technical Summary
The vulnerability in Traccar Client (<=9.7.19) involves improper verification of the source of a communication channel (CWE-940). The app registers a custom deep link scheme that allows an attacker to supply parameters such as server URL, device ID, accuracy, distance, and interval. When a victim taps a crafted deep link (via SMS, email, webpage, or other apps), the app silently writes these parameters into its persistent configuration without any user interaction or visual indication. This enables an attacker to hijack all GPS tracking data and redirect it to their own server at maximum precision and frequency. The vulnerability is resolved in version 9.7.20.
Potential Impact
An attacker can covertly redirect all GPS telemetry from the victim's device to an attacker-controlled server, gaining continuous, real-time location tracking. This compromises user privacy and location confidentiality. The attack requires only that the victim taps a crafted deep link, with no special permissions needed. The change persists across app restarts, making the compromise long-lasting until the app is updated or reconfigured.
Mitigation Recommendations
This vulnerability is fixed in Traccar Client version 9.7.20. Users and administrators should upgrade to version 9.7.20 or later to remediate this issue. Until then, users should avoid tapping untrusted deep links using the org.traccar.client://config scheme. Patch status is not explicitly confirmed by a vendor advisory in the provided data, but the fix version is stated in the description.
CVE-2026-48745: CWE-940: Improper Verification of Source of a Communication Channel in traccar traccar-client
Description
Traccar Client versions 9.7.19 and below have a vulnerability where a crafted deep link using the org.traccar.client://config scheme can silently reconfigure the app to redirect GPS telemetry to an attacker-controlled server. This occurs without user confirmation or notification and persists across app restarts, enabling continuous real-time tracking of the victim's location. The issue is fixed in version 9.7.20.
CVSS v3.1
Score 9.3critical
Affected software
pkg:github/traccar/traccar-clientRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Traccar Client (<=9.7.19) involves improper verification of the source of a communication channel (CWE-940). The app registers a custom deep link scheme that allows an attacker to supply parameters such as server URL, device ID, accuracy, distance, and interval. When a victim taps a crafted deep link (via SMS, email, webpage, or other apps), the app silently writes these parameters into its persistent configuration without any user interaction or visual indication. This enables an attacker to hijack all GPS tracking data and redirect it to their own server at maximum precision and frequency. The vulnerability is resolved in version 9.7.20.
Potential Impact
An attacker can covertly redirect all GPS telemetry from the victim's device to an attacker-controlled server, gaining continuous, real-time location tracking. This compromises user privacy and location confidentiality. The attack requires only that the victim taps a crafted deep link, with no special permissions needed. The change persists across app restarts, making the compromise long-lasting until the app is updated or reconfigured.
Mitigation Recommendations
This vulnerability is fixed in Traccar Client version 9.7.20. Users and administrators should upgrade to version 9.7.20 or later to remediate this issue. Until then, users should avoid tapping untrusted deep links using the org.traccar.client://config scheme. Patch status is not explicitly confirmed by a vendor advisory in the provided data, but the fix version is stated in the description.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-22T19:10:35.747Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a31ce780b89be68883e7751
Added to database: 6/16/2026, 10:30:16 PM
Last enriched: 6/16/2026, 10:45:06 PM
Last updated: 6/16/2026, 11:32:35 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.