CVE-2026-44314
Traccar: Missing edit authorization on device image upload allows read-only users to write files
Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into mediaManager.createFileStream(...). Unlike the generic mutation path in BaseObjectResource.update and the explicit device mutation handler updateAccumulators, this route never invokes permissionsService.checkEdit(getUserId(), Device.class, false, false). The skipped guard is exactly where Traccar enforces readonly and deviceReadonly restrictions for non-admin users. An unauthorized user can replace a deviceβs stored image file under the server media directory. This allows modification of UI-visible device media and any downstream workflows that rely on the persisted image, despite other device update paths correctly rejecting the same identity. This vulnerability is fixed in 6.13.0.
| CWE | CWE-863 |
| Vendor | traccar |
| Product | traccar |
| Published | May 26, 2026 |
| Last Updated | May 26, 2026 |
Get instant alerts for traccar traccar
Be the first to know when new unknown vulnerabilities affecting traccar traccar are published β delivered to Slack, Telegram or Discord.