CVE-2026-33125
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Users with the viewer role can delete admin and other users account. It this leads to denial of service and affects data integrity.
Details
Endpoint DELETE /api/users/admin is enable to anonymous user.
<img width="436" height="100" alt="obraz" src="https://github.com/user-attachments/assets/817f9c47-7bd9-4247-a2f1-0f40778ab229" />
PoC
I deleted admin user on demo.frigate.video:
<img width="1091" height="222" alt="obraz" src="https://github.com/user-attachments/assets/34f50a13-3bb7-4aa8-99fa-bd815b3dc915" />
Impact
It this leads to denial of service and affects data integrity.
Recommended Fixes
Restrict access to the endpoint to authenticated admin users only: Add dependencies=[Depends(require_role(["admin"]))]) to this endpoint.
AnalysisAI
Frigate video surveillance software contains an authentication bypass vulnerability allowing users with viewer role privileges to delete administrator and other user accounts via an unrestricted API endpoint. The vulnerability affects the Frigate Python package (pkg:pip/frigate) and has been confirmed with a proof-of-concept demonstration successfully deleting the admin user on the demo.frigate.video instance. This leads to denial of service and compromises data integrity by allowing unauthorized account deletions.
Technical ContextAI
This vulnerability exists in the Frigate video surveillance application's REST API endpoint 'DELETE /api/users/admin', which is improperly configured to allow access without adequate authorization checks. The root cause falls under CWE-285 (Improper Authorization), where the endpoint fails to verify that the requesting user has administrative privileges before processing destructive operations. The affected product is distributed via PyPI as pkg:pip/frigate. The API framework used by Frigate supports role-based access control through dependency injection patterns, but this particular endpoint was deployed without the required 'require_role' dependency check, making it accessible to lower-privileged users including those with only viewer permissions.
RemediationAI
Apply the security patch available from the Frigate project as documented in the GitHub Security Advisory at https://github.com/blakeblackshear/frigate/security/advisories/GHSA-vg28-83rp-8xx4. The recommended fix involves restricting access to the vulnerable DELETE endpoint by adding the dependency 'dependencies=[Depends(require_role(["admin"]))]' to ensure only authenticated administrator users can access user deletion functionality. Organizations should update to the patched version of Frigate as soon as possible via 'pip install --upgrade frigate' or by pulling the latest container image if running Frigate in Docker. As an interim mitigation until patching is complete, implement network-level access controls to restrict API access to trusted IP ranges only, disable or remove viewer role accounts if not essential, and monitor API logs for unauthorized attempts to access the /api/users/ endpoints.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-vg28-83rp-8xx4