HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48745Published Modified CNA GitHub_M

CVE-2026-48745: Traccar Client: silent configuration hijack via unverified deep link redirects all GPS telemetry

Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an attacker-controlled server. The app registers a custom org.traccar.client://config deep-link scheme that silently writes attacker-supplied parameters (server URL, device ID, accuracy, distance, and interval) into the app's persistent configuration with no confirmation, notification, or visual indication. A single crafted link delivered via SMS, email, a webpage, or any installed app can therefore reconfigure the app the moment the victim taps it, with no special permissions required. As a result, an attacker can covertly redirect all of the victim's GPS telemetry to their own server at maximum precision and frequency, and the change persists across restarts. This gives the attacker continuous, real-time tracking of the victim's location. This issue has been fixed in version 9.7.20.

Metrics

CVSS v3.1
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a silent configuration hijack in Traccar Client, the GPS tracking mobile app for the open-source Traccar platform, affecting versions 9.7.19 and below. The vulnerability is reachable over the network and requires no authentication; it is triggered the moment a victim taps a crafted deep link delivered via SMS, email, a webpage, or any installed app. Successful exploitation lets an attacker silently redirect all GPS telemetry to an attacker-controlled server, giving them continuous real-time location tracking of the victim with no visible indication to the user. A patched-image rebuild at version 9.7.20 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-48745 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Traccar Client. Any image containing a version of traccar-client below 9.7.20 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 9.3 CRITICAL using the published CVSS v3.1 vector, and that score is weighted against each customer environment's compliance policy to determine urgency and routing. Triage findings are delivered to the inbox configured for each customer org, prioritized according to their defined severity thresholds.

Available
Patch

A patched-image rebuild at traccar-client 9.7.20 becomes available on HarborGuard for any image found to include an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test, and opens a PR against the affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must deliver the crafted deep link to the victim over a network channel such as SMS, email, or a web page, meaning the attack is initiated remotely.

  • AuthenticationNot required

    No account, session, or credential of any kind is required; the deep-link scheme accepts attacker-supplied parameters without any authentication check.

  • Victim interactionRequired

    The victim must tap the crafted deep link, making this a social-engineering attack that requires at least one deliberate user action.

  • Attack complexityDetail

    The exploit is reliable and condition-free; a single well-formed deep link is sufficient, with no race conditions or environmental dependencies.

Blast Radius

  • Attacker silently overwrites the server URL, device ID, accuracy, distance, and interval settings in the app's persistent configuration, with changes surviving device restarts.
  • All subsequent GPS telemetry is streamed in real time to the attacker's server at maximum precision and frequency configured by the attacker.
  • The victim's continuous physical location is exposed to the attacker with no visible notification or confirmation shown to the user.
  • Integrity of the tracking configuration is fully compromised, meaning legitimate Traccar server operators also lose visibility into the device.

How HarborGuard Handles This

Available on HarborGuard: images containing traccar-client below 9.7.20 are flagged at ingestion, and a rebuilt image at version 9.7.20 is made available immediately. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, executes a regression run, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Given the severity (9.3 CRITICAL) and the absence of any on-device warning to users, prioritizing rapid rollout of the patched image is strongly advised. Where compliance policy does not permit auto-remediation, compensating controls worth considering include network-policy rules that restrict outbound connections from the app host to known-good Traccar server addresses, and mobile device management profiles that block unrecognized deep-link scheme handlers until the updated version is deployed.

See how HarborGuard automates this
Affected packages
  • traccar / traccar-client
    < 9.7.20
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
References