Listen to this Post
How the mentioned CVE works
The vulnerability exists in Traccar’s `DeviceResource.uploadImage` endpoint. Prior to version 6.13.0, this method authorizes the target device using Condition.Permission(User.class, getUserId(), Device.class). This checks only that the user has some permission on the device, typically read access. Immediately after, the endpoint streams the uploaded file into mediaManager.createFileStream(...), writing the image to the server’s media directory. Crucially, the code path never calls permissionsService.checkEdit(getUserId(), Device.class, false, false). This missing call is the exact guard that enforces `readonly` and `deviceReadonly` restrictions for non‑admin users elsewhere, such as in `BaseObjectResource.update` and the `updateAccumulators` mutation handler. As a result, an authenticated user with only read‑only rights to a device (e.g., a viewer or a restricted user) can still upload a new image file for that device, overwriting the existing stored image. The server does not verify write permissions at the point of file creation. This allows unauthorized modification of device‑visible media in the UI and any automated workflows that rely on the persisted image, despite all other device update paths correctly rejecting the same identity.
dailycve form:
Platform: Traccar
Version: prior 6.13.0
Vulnerability : Authorization Bypass
Severity: Medium
date: 2026-05-26
Prediction: Patch date 2026-05-26
What Undercode Say:
Check if Traccar version is vulnerable
curl -s http://target:8082/api/server | jq '.version'
Exploit example: replace device image with attacker-controlled file
DEVICE_ID=123
ATTACKER_IMAGE="evil.png"
SESSION_TOKEN="readonly_user_token"
curl -X POST "http://target:8082/api/devices/${DEVICE_ID}/image" \
-H "Authorization: Bearer ${SESSION_TOKEN}" \
-F "file=@${ATTACKER_IMAGE}"
Exploit:
Send a multipart POST request to `/api/devices/
Protection from this CVE
Upgrade to Traccar version 6.13.0 or later. If immediate upgrade is not possible, apply the vendor patch manually: insert a call to `permissionsService.checkEdit(getUserId(), Device.class, false, false)` inside `DeviceResource.uploadImage` before the `mediaManager.createFileStream(…)` call. Alternatively, restrict network access to the API endpoint or enforce strict per‑device write permissions via a reverse proxy authentication layer.
Impact
An authenticated attacker with only read‑only device access can replace any device’s stored image file. This leads to UI defacement, potential social engineering (e.g., fake location images), and corruption of downstream analytics or reporting systems that depend on the integrity of device media. No admin privileges are required.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

