PatchSiren

traccar CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM traccar CVE published 2026-05-26

CVE-2026-44314

Traccar versions prior to 6.13.0 contain an authorization bypass in the device image upload functionality. The `DeviceResource.uploadImage` endpoint validates user permissions through `Condition.Permission(User.class, getUserId(), Device.class)` but fails to invoke `permissionsService.checkEdit(getUserId(), Device.class, false, false)`—the guard that enforces `readonly` and `deviceReadonly` restrictions f [truncated]