Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-48745

CVE-2026-48745: Traccar Client Auth Bypass Vulnerability

CVE-2026-48745 is an authentication bypass flaw in Traccar Client that allows attackers to hijack GPS tracking via malicious deep links. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-48745 Overview

CVE-2026-48745 is a deep link hijacking vulnerability in Traccar Client, a GPS tracking mobile application that sends location updates to private servers running the open-source Traccar platform. Versions 9.7.19 and below register the custom org.traccar.client://config deep-link scheme and write attacker-supplied parameters into persistent configuration without confirmation. A single crafted link delivered through SMS, email, a webpage, or any installed app silently reconfigures the server URL, device ID, accuracy, distance, and interval the moment the victim taps it. The application requires no special permissions to accept the change, and the new configuration persists across restarts. The issue is fixed in version 9.7.20.

Critical Impact

A single tap on a crafted deep link redirects all victim GPS telemetry to an attacker-controlled server at maximum precision, enabling continuous real-time location tracking.

Affected Products

  • Traccar Client mobile application versions 9.7.19 and below
  • Android distributions registering the org.traccar.client://config scheme
  • Deployments configured against any Traccar server backend

Discovery Timeline

  • 2026-06-17 - CVE-2026-48745 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-48745

Vulnerability Analysis

The vulnerability stems from unsafe handling of an exported deep-link intent in the Traccar Client mobile application. The app declares the org.traccar.client://config URI scheme as an entry point that accepts configuration parameters directly from the incoming intent. Any process or web context capable of issuing a URI can invoke this handler, including SMS messages, email clients, web browsers, and arbitrary third-party apps installed on the device.

When the handler receives a configuration URI, it parses parameters such as the upstream server URL, device identifier, location accuracy, reporting distance, and reporting interval. The application then writes these values into its persistent settings store without any user prompt, notification, or visible state change. Because the write is persistent, the redirection survives application restarts and device reboots. This issue is categorized under CWE-940: Improper Verification of Source of a Communication Channel.

Root Cause

The root cause is the absence of source verification and user confirmation on the deep-link configuration handler. The app trusts any caller that can deliver an org.traccar.client://config URI to mutate sensitive telemetry settings. No signature check, origin check, or interactive confirmation gates the configuration write.

Attack Vector

An attacker crafts a deep-link URL containing parameters that point the client to an attacker-controlled Traccar-compatible endpoint with the highest accuracy and shortest reporting interval. The attacker delivers the link through any channel the victim trusts, including an SMS, an email, a chat message, or an embedded link on a webpage. When the victim taps the link, the Traccar Client launches, writes the supplied values to persistent storage, and immediately begins transmitting location data to the attacker's server.

For technical details and the patch commit, refer to the GitHub Security Advisory GHSA-vm6j-6g39-gj97 and the upstream fix commit.

Detection Methods for CVE-2026-48745

Indicators of Compromise

  • Traccar Client configuration containing a server URL that does not match the organization's sanctioned Traccar host.
  • Sudden change of reporting interval to a near-zero value or accuracy set to the highest precision setting without administrator action.
  • Outbound HTTPS or HTTP connections from mobile devices to previously unseen domains shortly after a user opens a link.
  • Inbound SMS, email, or chat messages containing the org.traccar.client://config URI scheme.

Detection Strategies

  • Inspect mobile device management (MDM) telemetry for changes to the Traccar Client persistent settings file.
  • Monitor proxy and DNS logs for connections from managed mobile devices to non-corporate Traccar endpoints.
  • Scan email gateways, SMS filters, and web proxies for URIs beginning with org.traccar.client://config.

Monitoring Recommendations

  • Track installed Traccar Client versions across the fleet and alert on any device running 9.7.19 or below.
  • Correlate user link clicks with subsequent configuration deltas reported by mobile telemetry.
  • Audit Traccar server logs for devices that stop checking in to the legitimate backend after a known phishing or smishing event.

How to Mitigate CVE-2026-48745

Immediate Actions Required

  • Update Traccar Client to version 9.7.20 or later on all managed and BYOD devices.
  • Re-validate the configured server URL, device ID, and reporting parameters on every device after upgrade.
  • Block or quarantine messages and web content containing the org.traccar.client://config URI scheme at email, SMS, and web filtering layers.
  • Force re-enrollment of any device suspected to have processed a malicious deep link.

Patch Information

The maintainers fixed the issue in Traccar Client version 9.7.20. The remediation is documented in the GitHub Security Advisory GHSA-vm6j-6g39-gj97 and applied in commit 23558b0.

Workarounds

  • Until upgrade is complete, restrict the Traccar Client through MDM policy to prevent it from being launched by external deep links.
  • Educate users to avoid tapping unsolicited links and to verify the Traccar server URL in the app settings after any link interaction.
  • Where supported, use Android App Links verification or platform-level intent filters to constrain which sources can invoke the configuration handler.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.