How is CVE-2026-6209 exploited?

Network reachability (required): The vulnerable service is exposed over the network, meaning an attacker must be able to reach it via standard network connectivity to exploit this vulnerability. Authentication (not-required): No credentials or account of any privilege level are needed; the missing authorization check is reachable by any unauthenticated request. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user of the system. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental factors to succeed.

What is the impact of CVE-2026-6209?

Reads geographic tracking records and any associated location or entity data stored in the system. Modifies or overwrites tracking records, allowing an attacker to corrupt location history or inject false tracking data. Accesses functionality gated behind ACLs, potentially including administrative or operational controls within the tracking system. No availability impact is indicated by the CVSS vector; the service itself remains running but its data integrity and confidentiality are fully compromised.

Back to search

CRITICALCVE-2026-6209Published 2026-06-05Modified 2026-06-05CNA TR-CERT

CVE-2026-6209: Improper Access Control in in HAVELSAN's Geographic Tracking System

Improper Access Control, Missing Authorization vulnerability in HAVELSAN Inc. Geographic Tracking System allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Geographic Tracking System: before v0.0.2.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: v0.0.2
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper access control vulnerability in HAVELSAN Inc.'s Geographic Tracking System allows unauthenticated remote attackers to access functionality that should be restricted by access control lists (ACLs). The service is reachable over the network and requires no authentication, credentials, or victim interaction to exploit. Successful exploitation gives an attacker full read and write access to the system's data, enabling both disclosure of tracked geographic information and tampering with records. A patched-image rebuild at v0.0.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-6209 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from HAVELSAN's Geographic Tracking System base. Any image running a version prior to v0.0.2 is flagged automatically in the customer's registry and CI/CD pipeline.

Available

Triage

HarborGuard scores this CVE at 9.1 CRITICAL (CVSS v3.1) and surfaces it accordingly in each customer environment, with per-environment compliance policy weighting applied to route the finding to the appropriate team inbox. Triage context, including affected image tags and the missing-authorization root cause, is attached to each finding automatically.

Available

Patch

A patched-image rebuild at v0.0.2 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable service is exposed over the network, meaning an attacker must be able to reach it via standard network connectivity to exploit this vulnerability.
AuthenticationNot required
No credentials or account of any privilege level are needed; the missing authorization check is reachable by any unauthenticated request.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user of the system.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental factors to succeed.

Blast Radius

Reads geographic tracking records and any associated location or entity data stored in the system.
Modifies or overwrites tracking records, allowing an attacker to corrupt location history or inject false tracking data.
Accesses functionality gated behind ACLs, potentially including administrative or operational controls within the tracking system.
No availability impact is indicated by the CVSS vector; the service itself remains running but its data integrity and confidentiality are fully compromised.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-6209 is active across all customer environments and triggers immediately when a pre-v0.0.2 image of HAVELSAN's Geographic Tracking System is found in a registry or pipeline scan. Given the CRITICAL severity and the zero-barrier exploit path (no auth, no interaction, network-reachable), this finding is prioritized at the top of the compliance queue. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at v0.0.2, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually can act on the finding immediately using the affected image inventory surfaced in the HarborGuard dashboard.

See how HarborGuard automates this

Fix available

v0.0.2

Affected packages

HAVELSAN Inc. / Geographic Tracking System
< v0.0.2 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

siberguvenlik.gov.tr

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available