CVE-2026-27693 Overview
CVE-2026-27693 is an XML injection vulnerability [CWE-91] in Traccar, an open source GPS tracking system. The flaw affects org.traccar:traccar versions 6.11.1 through 6.12.x and is fixed in version 6.13.0. The KML and GPX export functionality writes device names directly to XML output without proper escaping. An authenticated attacker with low privileges can create a device with a crafted name that injects XML content into exported files. When another user exports and opens the affected KML or GPX file, the injection corrupts the file structure and spoofs exported location data.
Critical Impact
Low-privileged attackers can inject XML into exported KML and GPX reports, corrupting file integrity and spoofing GPS location data consumed by downstream users.
Affected Products
- Traccar org.traccar:traccar version 6.11.1
- Traccar versions 6.11.x through 6.12.x prior to 6.13.0
- KML and GPX export functionality in GpxExportProvider
Discovery Timeline
- 2026-05-05 - CVE-2026-27693 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-27693
Vulnerability Analysis
The vulnerability resides in Traccar's report export logic, specifically in the GpxExportProvider component referenced in the upstream advisory. When generating GPS tracking reports in KML (Keyhole Markup Language) or GPX (GPS Exchange Format) form, the application embeds attacker-controlled fields, including device names, into XML elements. The export routine omits XML entity escaping for characters such as <, >, &, ", and '. As a result, characters supplied through the device name field are rendered as literal XML markup in the output. The issue is classified under [CWE-91] XML Injection (aka Blind XPath Injection) and carries a network attack vector requiring user interaction.
Root Cause
The root cause is missing output encoding when serializing untrusted device metadata into XML documents. Traccar trusted the device name attribute as text content rather than treating it as data requiring contextual escaping. The export provider concatenates or writes the value into XML structures without invoking an XML-aware writer that applies entity encoding for reserved characters.
Attack Vector
An attacker first authenticates to the Traccar instance with low-privilege access sufficient to create or rename a device. The attacker sets the device name to a payload containing XML markup, such as closing existing tags and injecting new <wpt> or <Placemark> elements with attacker-chosen coordinates. A second user, typically an administrator or analyst, later generates a KML or GPX export that includes the malicious device. When the resulting file is opened in mapping software, the injected elements alter the rendered track, insert spoofed waypoints, or break parsing entirely.
The vulnerability mechanism is documented in the GitHub Security Advisory GHSA-32pj-vrqc-x656 and the GpxExportProvider source.
Detection Methods for CVE-2026-27693
Indicators of Compromise
- Device records with names containing XML metacharacters such as <, >, </wpt>, </Placemark>, or embedded XML tags.
- Exported KML or GPX files that fail schema validation or contain unexpected waypoint, track, or placemark elements.
- Traccar audit logs showing device creation or rename operations from low-privileged accounts shortly before report generation.
Detection Strategies
- Inspect the Traccar tc_devices table for name values containing angle brackets, ampersands, or XML element tokens.
- Validate previously generated KML and GPX exports against the official KML 2.2 and GPX 1.1 XSD schemas to flag injected markup.
- Review web server access logs for POST and PUT requests to /api/devices carrying suspicious payload characters in the name field.
Monitoring Recommendations
- Alert on creation or modification of device names that include XML-significant characters.
- Monitor report export endpoints for unusual activity correlated with recent low-privileged device changes.
- Track the Traccar version in deployment inventories to confirm upgrade status to 6.13.0 or later.
How to Mitigate CVE-2026-27693
Immediate Actions Required
- Upgrade Traccar to version 6.13.0, which applies proper XML escaping in the export providers.
- Audit existing device records and sanitize or rename any entries containing XML metacharacters.
- Restrict device creation and rename permissions to trusted operator roles where feasible.
Patch Information
The maintainers fixed the issue in Traccar 6.13.0. Details are available in the GitHub Security Advisory GHSA-32pj-vrqc-x656. Administrators running versions 6.11.1 through 6.12.x must update without delay.
Workarounds
- Apply input validation at the device name field to reject characters <, >, &, ", and ' until the patch is deployed.
- Avoid generating or distributing KML and GPX exports that include devices created by untrusted users.
- Treat exported report files as untrusted input and validate against KML and GPX schemas before opening in mapping clients.
# Upgrade Traccar to the patched release
wget https://github.com/traccar/traccar/releases/download/v6.13.0/traccar-linux-64-6.13.0.zip
unzip traccar-linux-64-6.13.0.zip
sudo ./traccar.run
sudo systemctl restart traccar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
