CVE-2022-23126
CRITICALTeslaMate < 1.25.1 - Unauthenticated Vehicle Control via Grafana Token Exposure
Title source: llmDescription
TeslaMate before 1.25.1 (when using the default Docker configuration) allows attackers to open doors of Tesla vehicles, start Keyless Driving, and interfere with vehicle operation en route. This occurs because an attacker can leverage Grafana login access to obtain a token for Tesla API calls.
References (5)
Core 5
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/adriankumpf/teslamate/commit/fff6915e7364f83b3030f980d5743299c4e5260d
Issue Tracking, Third Party Advisory x_refsource_misc
https://twitter.com/teslascope/status/1481252837174624258
Patch, Third Party Advisory x_refsource_misc
https://github.com/adriankumpf/teslamate/compare/v1.25.0...v1.25.1
Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/adriankumpf/teslamate/releases/tag/v1.25.1
Various Sources x_refsource_misc
https://medium.com/%40david_colombo/how-i-got-access-to-25-teslas-around-the-world-by-accident-and-curiosity-8b9ef040a028
Scores
CVSS v3
9.8
EPSS
0.0227
EPSS Percentile
80.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
teslamate/teslamate
< 1.25.1
Published
Jan 24, 2022
Tracked Since
Feb 18, 2026