Skip to main content

CVE-2026-33125

HIGH
Improper Authorization (CWE-285)
2026-03-18 https://github.com/blakeblackshear/frigate GHSA-vg28-83rp-8xx4
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 18, 2026 - 14:30 vuln.today
CVE Published
Mar 18, 2026 - 14:25 nvd
HIGH 7.1

DescriptionGitHub Advisory

Summary

Users with the viewer role can delete admin and other users account. It this leads to denial of service and affects data integrity.

Details

Endpoint DELETE /api/users/admin is enable to anonymous user.

<img width="436" height="100" alt="obraz" src="https://github.com/user-attachments/assets/817f9c47-7bd9-4247-a2f1-0f40778ab229" />

PoC

I deleted admin user on demo.frigate.video:

<img width="1091" height="222" alt="obraz" src="https://github.com/user-attachments/assets/34f50a13-3bb7-4aa8-99fa-bd815b3dc915" />

Impact

It this leads to denial of service and affects data integrity.

Recommended Fixes

Restrict access to the endpoint to authenticated admin users only: Add dependencies=[Depends(require_role(["admin"]))]) to this endpoint.

AnalysisAI

Frigate video surveillance software contains an authentication bypass vulnerability allowing users with viewer role privileges to delete administrator and other user accounts via an unrestricted API endpoint. The vulnerability affects the Frigate Python package (pkg:pip/frigate) and has been confirmed with a proof-of-concept demonstration successfully deleting the admin user on the demo.frigate.video instance. This leads to denial of service and compromises data integrity by allowing unauthorized account deletions.

Technical ContextAI

This vulnerability exists in the Frigate video surveillance application's REST API endpoint 'DELETE /api/users/admin', which is improperly configured to allow access without adequate authorization checks. The root cause falls under CWE-285 (Improper Authorization), where the endpoint fails to verify that the requesting user has administrative privileges before processing destructive operations. The affected product is distributed via PyPI as pkg:pip/frigate. The API framework used by Frigate supports role-based access control through dependency injection patterns, but this particular endpoint was deployed without the required 'require_role' dependency check, making it accessible to lower-privileged users including those with only viewer permissions.

RemediationAI

Apply the security patch available from the Frigate project as documented in the GitHub Security Advisory at https://github.com/blakeblackshear/frigate/security/advisories/GHSA-vg28-83rp-8xx4. The recommended fix involves restricting access to the vulnerable DELETE endpoint by adding the dependency 'dependencies=[Depends(require_role(["admin"]))]' to ensure only authenticated administrator users can access user deletion functionality. Organizations should update to the patched version of Frigate as soon as possible via 'pip install --upgrade frigate' or by pulling the latest container image if running Frigate in Docker. As an interim mitigation until patching is complete, implement network-level access controls to restrict API access to trusted IP ranges only, disable or remove viewer role accounts if not essential, and monitor API logs for unauthorized attempts to access the /api/users/ endpoints.

Share

CVE-2026-33125 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy