CVE-2026-33125
HIGH
GHSA-vg28-83rp-8xx4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
2Description
### Summary Users with the viewer role can delete admin and other users account. It this leads to denial of service and affects data integrity. ### Details Endpoint `DELETE /api/users/admin` is enable to anonymous user. <img width="436" height="100" alt="obraz" src="https://github.com/user-attachments/assets/817f9c47-7bd9-4247-a2f1-0f40778ab229" /> ### PoC I deleted admin user on `demo.frigate.video`: <img width="1091" height="222" alt="obraz" src="https://github.com/user-attachments/assets/34f50a13-3bb7-4aa8-99fa-bd815b3dc915" /> ### Impact It this leads to denial of service and affects data integrity. ### Recommended Fixes Restrict access to the endpoint to authenticated admin users only: Add `dependencies=[Depends(require_role(["admin"]))])` to this endpoint.
Analysis
Frigate video surveillance software contains an authentication bypass vulnerability allowing users with viewer role privileges to delete administrator and other user accounts via an unrestricted API endpoint. The vulnerability affects the Frigate Python package (pkg:pip/frigate) and has been confirmed with a proof-of-concept demonstration successfully deleting the admin user on the demo.frigate.video instance. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Isolate Frigate instances from untrusted networks and restrict API access to administrative personnel only. Within 7 days: Implement network segmentation and WAF rules to block DELETE requests to user management endpoints from non-administrative sources; audit logs for evidence of exploitation. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today