CVE-2026-6207: User Enumeration in in HAVELSAN's Geographic Tracking System
Observable response discrepancy vulnerability in HAVELSAN Inc. Geographic Tracking System allows System Footprinting. This issue affects Geographic Tracking System: before v0.0.2.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- v0.0.2
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An observable response discrepancy vulnerability (user enumeration) affects HAVELSAN Inc.'s Geographic Tracking System in versions before v0.0.2. The flaw is reachable over the network with no authentication or user interaction required, allowing an attacker to probe the system and enumerate valid user accounts by observing differences in server responses. Successful exploitation gives the attacker a map of valid usernames and system structure, and also enables tampering with data. A patched-image rebuild at v0.0.2 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-6207 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including TR-CERT) within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the Geographic Tracking System.
AvailableTriage is available with CVSS v3.1 scoring applied automatically, surfacing this issue at its published score of 9.1 (Critical); per-environment compliance policy weighting can elevate or suppress alert priority, and routing to the appropriate team inbox within each customer organization is supported.
AvailableA patched-image rebuild at v0.0.2 becomes available on HarborGuard once a base image or layer resolving the affected version is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker sends crafted requests remotely with no need for local access.
- AuthenticationNot required
No credentials of any kind are needed; the attacker can probe the system as an unauthenticated user.
- Victim interactionNot required
No user interaction is required; the attacker operates entirely without involving a legitimate user.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.
Blast Radius
- An attacker enumerates valid usernames by comparing server response differences, building a target list for follow-on credential attacks.
- Confidential data held by the system is exposed, including user account details and system structure information derived from footprinting.
- An attacker with enumerated account knowledge can tamper with or modify persisted data and system records within the Geographic Tracking System.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-6207 is active across connected registries and pipelines the moment the advisory is ingested. For environments running Geographic Tracking System versions before v0.0.2, a rebuilt image at the fixed version becomes available on HarborGuard. Where compliance policy permits auto-remediation, HarborGuard performs the image rebuild, executes a regression run, and opens a pull request against affected workloads; for high- and critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not yet enabled, teams should treat this as a priority manual upgrade given the Critical severity rating, the unauthenticated network-accessible attack surface, and the combined confidentiality and integrity impact.
Fix available
- HAVELSAN Inc. / Geographic Tracking System< v0.0.2 (from 0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N