VYPR
Medium severity4.3NVD Advisory· Published May 26, 2026· Updated May 27, 2026

CVE-2026-44314

CVE-2026-44314

Description

Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into mediaManager.createFileStream(...). Unlike the generic mutation path in BaseObjectResource.update and the explicit device mutation handler updateAccumulators, this route never invokes permissionsService.checkEdit(getUserId(), Device.class, false, false). The skipped guard is exactly where Traccar enforces readonly and deviceReadonly restrictions for non-admin users. An unauthorized user can replace a device’s stored image file under the server media directory. This allows modification of UI-visible device media and any downstream workflows that rely on the persisted image, despite other device update paths correctly rejecting the same identity. This vulnerability is fixed in 6.13.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Traccar/Traccarinferred2 versions
    <6.13.0+ 1 more
    • (no CPE)range: <6.13.0
    • (no CPE)range: <6.13.0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.