Cross-Site WebSocket Hijacking Vulnerability in Traccar GPS Tracking System
CVE-2025-68930

7.1HIGH

Key Information:

Vendor: Traccar
Status: Traccar
Vendor: CVE Published:; 23 February 2026

What is CVE-2025-68930?

The Traccar open-source GPS tracking system is affected by a Cross-Site WebSocket Hijacking vulnerability found in its /api/socket endpoint. Due to inadequate validation of the Origin header during the WebSocket handshake process, malicious actors can circumvent the Same Origin Policy (SOP). This exploitation permits an attacker to establish a full-duplex WebSocket connection and gain access to a legitimate user's session, allowing for potential unauthorized actions or data exposure. Currently, it remains uncertain if a patch has been released to rectify this security flaw.

Affected Version(s)

traccar <= 6.11.1

References

https://github.com/traccar/traccar/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 23, 2026
Vulnerability Reserved
Dec 24, 2025

CVE-2025-68930 Data

JSON