External risk intelligence

Traccar Client Deep Link Hijacks GPS Tracking

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-48745

A vulnerability in the Traccar Client mobile app allows a crafted link to secretly hijack GPS tracking parameters and redirect telemetry to an attacker-controlled server. This happens when a user taps a malicious deep link, silently reconfiguring the app without confirmation, leading to continuous, real-time location t

1Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-48745

The vulnerability resides in a mobile client-side application requiring user interaction via deep links (such as tapping a link in an email or SMS). It does not involve a network-reachable service, public-facing infrastructure, or server-side deployment that would be exposed to the internet.

PCI scan relevance

PCI Relevance for CVE-2026-48745

Yes

CVE-2026-48745 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Traccar Client allows for silent hijacking of GPS tracking parameters and redirection of telemetry to an attacker-controlled server. The critical severity indicates a significant risk.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A security issue in the Traccar Client mobile application allows a malicious actor to secretly redirect a user's location data to an attacker-controlled server by tricking the user into clicking a specially crafted link. This could lead to unauthorized, continuous real-time tracking of an individual's location without their knowledge or consent. The primary concern is to confirm if this type of application is in use within the organization and to understand the potential exposure.

A hidden link can hijack location tracking.
Protects against covert, continuous location spying.
Confirm app usage and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can send a specially crafted link to a victim's mobile device. If the victim taps this link, the Traccar Client app can be silently reconfigured without the user's knowledge. This allows the attacker to redirect all of the victim's GPS location data to a server controlled by the attacker.

Requires a user to tap a malicious link.
A deep link silently changes app settings.
Enables continuous, covert location tracking.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, a crafted deep link could silently reconfigure the Traccar Client mobile application, redirecting GPS tracking data to an attacker-controlled server without user confirmation or notification. This could lead to continuous, real-time location tracking of the victim.

Victim's GPS tracking data.
Tapping a malicious deep link.
Continuous, real-time location tracking.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world ownership of this vulnerability likely falls to the mobile application owners and platform teams responsible for managing the Traccar Client app. The first practical step is to identify all devices where the Traccar Client is installed, assess the risk based on user interaction and data sensitivity, and then coordinate remediation efforts with end-users or IT support.

Mobile application owners should own the issue.
Verify user interaction and asset criticality first.
Plan for controlled app updates and user guidance.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Traccar Client application?

Traccar Client is a mobile application designed to turn a smartphone into a GPS tracking device. It sends real-time location data to a private Traccar server, which is an open-source platform used for fleet management, asset tracking, or personal location monitoring. The app continuously transmits location updates based on configured parameters like distance and frequency.

What does CWE-940 mean for CVE-2026-48745?

CWE-940 refers to Improper Verification of Source of a Communication Channel. In this vulnerability, the app fails to verify that the instructions it receives from a deep link are legitimate. Because the app blindly trusts these external commands, an attacker can exploit this weakness to inject their own settings into the app, effectively taking control of where your GPS data is sent without your permission.

How is this vulnerability triggered?

The vulnerability is triggered when a user clicks a specially crafted 'deep link' on their mobile device, typically delivered through SMS, email, or a web browser. It is important to note that merely having the app installed is not enough to trigger the bug; the attacker specifically requires the user to interact with the malicious link for the reconfiguration to occur.

Is my device at risk based on Halo Surface Signal?

Halo Surface Signal indicates that this vulnerability is very unlikely to be exploited through standard network-based attacks. Because the flaw exists within a mobile client and requires manual user interaction, it does not involve the typical internet-facing services or public infrastructure that are often targeted by automated remote threats.

How do I secure my device against this issue?

The most effective way to secure your device is to update the Traccar Client app to version 9.7.20 or later, which contains the official fix. If you cannot update immediately, be extremely cautious about clicking unexpected or suspicious links sent to your mobile device, as these are the primary vector used to hijack the app's configuration.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.