GHSA-prxj-3gcv-cqrh: Tesla Fleet Telemetry allows spoofing telemetry for arbitrary vehicles via compromised vehicle credentials

April 1, 2026

A vulnerability in vehicle authentication allows threat actor with valid client credentials (i.e., a private key and certificate from a rooted infotainment system) to impersonate arbitrary VINs when authenticating to the telemetry server.

References

github.com/advisories/GHSA-prxj-3gcv-cqrh
github.com/teslamotors/fleet-telemetry
github.com/teslamotors/fleet-telemetry/commit/d5ca0dab55812029fd38eb77f079f74ce4f47286
github.com/teslamotors/fleet-telemetry/security/advisories/GHSA-prxj-3gcv-cqrh

Code Behaviors & Features

Detect and mitigate GHSA-prxj-3gcv-cqrh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →