CVE-2026-6208: IDOR in in HAVELSAN's Geographic Tracking System
Authorization bypass through User-Controlled key vulnerability in HAVELSAN Inc. Geographic Tracking System allows Exploitation of Trusted Identifiers. This issue affects Geographic Tracking System: before v0.0.2.
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- v0.0.2
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An insecure direct object reference (IDOR) vulnerability exists in HAVELSAN Inc.'s Geographic Tracking System. The flaw is reachable over the network with no authentication required and no user interaction needed, meaning any internet-reachable instance is exposed to unauthenticated attackers. Successful exploitation allows an attacker to read and modify data the system manages, bypassing authorization controls entirely. A patched-image rebuild at v0.0.2 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-6208 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that bundle the Geographic Tracking System, not just official upstream images.
AvailableHarborGuard is capable of scoring this CVE at its CVSS v3.1 rating of 9.1 (Critical) and weighting that score against each customer org's compliance policy to reflect their specific risk posture. Findings are routable to the appropriate team inbox within each customer organization based on configured escalation rules.
AvailableA patched-image rebuild at v0.0.2 becomes available through HarborGuard for any environment found running an affected version of the Geographic Tracking System. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable service must be reachable over the network; any internet-exposed or internally networked instance is within reach of the attacker.
- AuthenticationNot required
No credentials or prior account access are needed; the attacker can send crafted requests as an unauthenticated user.
- Victim interactionNot required
No victim action such as clicking a link or opening a file is required; the attacker operates entirely without user participation.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.
Blast Radius
- An attacker reads tracking records, location histories, and other confidential data managed by the system by substituting user-controlled object identifiers in requests.
- An attacker modifies or overwrites tracking entries and geographic data belonging to other users or organizations by referencing their object identifiers directly.
- Authorization controls are bypassed wholesale, so any object the system manages is accessible or editable without privilege checks.
How HarborGuard Handles This
Available on HarborGuard: detection of this Critical-severity IDOR is active across customer registries and pipelines the moment the CVE is ingested, including in custom images that package the Geographic Tracking System. Where compliance policy permits, a rebuild against v0.0.2 is queued automatically. For customers who opt into auto-remediation, HarborGuard performs the patched rebuild, executes a regression-test run, and opens a PR against affected workloads; for high and critical severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers not yet on auto-remediation can trigger the rebuild manually from the HarborGuard dashboard and review the diff before merging.
Fix available
- HAVELSAN Inc. / Geographic Tracking System< v0.0.2 (from 0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N