What is the CVSS score of CVE-2026-33124?

CVE-2026-33124 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Frigate are affected by CVE-2026-33124?

Frigate video surveillance platform versions prior to 0.17.0-beta1 contain a critical authentication flaw allowing any authenticated user to forcibly reset another user's password and maintain…. A patch is available.

How to fix or mitigate CVE-2026-33124?

Within 24 hours: Identify all Frigate instances in your environment and document current versions via admin interface or API queries. Within 7 days: Upgrade all Frigate installations to version 0.17.0-beta1 or later; if production constraints prevent immediate upgrade, implement network-level access controls restricting the /users/{username}/password endpoint to administrative IPs only. Within 30 days: Conduct audit of JWT token issuance logs to identify any unauthorized password changes, and force re-authentication of all active sessions post-upgrade to invalidate pre-patch tokens.

Frigate CVE-2026-33124

EUVD-2026-13653 HIGH

Improper Authentication (CWE-287)

2026-03-20 GitHub_M

XSS Authentication Bypass Frigate

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:19 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

0.17.0-beta1

EUVD ID Assigned

Mar 20, 2026 - 09:30 euvd

EUVD-2026-13653

Analysis Generated

Mar 20, 2026 - 09:30 vuln.today

CVE Published

Mar 20, 2026 - 09:16 nvd

HIGH 8.8

DescriptionGitHub Advisory

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/{username}/password endpoint. Changing a password does not invalidate existing JWT tokens, and there is no validation of password strength. If an attacker obtains a valid session token (e.g., via accidentally exposed JWT, stolen cookie, XSS, compromised device, or sniffing over HTTP), they can change the victim’s password and gain permanent control of the account. Since password changes do not invalidate existing JWT tokens, session hijacks persist even after a password reset. Additionally, the lack of password strength validation exposes accounts to brute-force attacks. This issue has been resolved in version 0.17.0-beta1.

AnalysisAI

{username}/password endpoint, combined with a failure to invalidate existing JWT tokens upon password change and absence of password strength validation. An attacker who obtains a valid session token through XSS, accidental exposure, cookie theft, compromised device, or unencrypted HTTP sniffing can permanently hijack victim accounts by changing their password while maintaining session access through non-invalidated tokens. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain valid JWT session token

Exploit

Send POST to /users/{username}/password endpoint

Execution

Change victim's password without verification

Impact

Maintain persistent access via compromised account

Access

Obtain valid JWT session token

Exploit

Send POST to /users/{username}/password endpoint

Execution

Change victim's password without verification

Impact

Maintain persistent access via compromised account

Vulnerability AssessmentAI

Exploitation	Frigate versions prior to 0.17.0-beta1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	While CVSS and EPSS scores are not provided in the intelligence data, the vulnerability exhibits high real-world risk through multiple independent signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker performs a reflected XSS attack on a Frigate web interface form and extracts the JWT token from localStorage or session cookies of an authenticated administrator. Using this token, the attacker calls the /users/admin/password endpoint without providing the current password, setting a new credential of their choice. …
Remediation	Immediately upgrade Frigate to version 0.17.0-beta1 or later, as documented in the vendor advisory at https://github.com/blakeblackshear/frigate/security/advisories/GHSA-24p8-r573-vwr2. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

{username}/password endpoint to administrative IPs only. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33124 vulnerability details – vuln.today

Back

Frigate CVE-2026-33124

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code