CVE-2026-48745 traccar CVE debrief

Who should care

Organizations and individuals using Traccar Client versions 9.7.19 and below should be aware of this critical vulnerability. Updating to version 9.7.20 or later is essential to prevent potential location tracking by attackers.

Technical summary

The Traccar Client app for GPS tracking is vulnerable to a deep link hijacking issue. The app registers a custom 'org.traccar.client://config' deep-link scheme that can silently write attacker-supplied parameters into the app's configuration. This allows an attacker to redirect GPS telemetry to their server by crafting a single deep link, which can be delivered via SMS, email, or a webpage. The change persists across app restarts, enabling continuous tracking of the victim's location.

Defensive priority

Critical

Recommended defensive actions

• Update Traccar Client to version 9.7.20 or later
• Be cautious when clicking on links from unknown sources
• Use secure communication channels for sending location updates
• Monitor GPS tracking configurations for suspicious changes
• Implement additional security measures, such as two-factor authentication
• Regularly review and update mobile app configurations
• Consider using alternative GPS tracking solutions with enhanced security features

Evidence notes

The information provided is based on the CVE record and NVD details. The vulnerability was published on June 17, 2026, and modified on the same day. The issue was fixed in version 9.7.20, as mentioned in the CVE description.

Official resources