Skip to main content

Frigate EUVD-2026-13772

| CVE-2026-33126 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-20 GitHub_M
SSRF Frigate
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
0.16.3
EUVD ID Assigned
Mar 20, 2026 - 20:15 euvd
EUVD-2026-13772
Analysis Generated
Mar 20, 2026 - 20:15 vuln.today
CVE Published
Mar 20, 2026 - 19:57 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery (SSRF) attacks. An attacker can use the Frigate server to make HTTP requests to internal network resources, cloud metadata services, or perform port scanning. This issue has been patched in version 0.16.3.

AnalysisAI

Frigate versions prior to 0.16.3 contain a Server-Side Request Forgery (SSRF) vulnerability in the /ffprobe endpoint that accepts arbitrary user-controlled URLs without proper validation. An authenticated attacker can leverage this endpoint to make HTTP requests to internal network resources, cloud metadata services (such as AWS IMDSv1), or perform reconnaissance activities like port scanning against systems accessible from the Frigate server. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS 5.0 score with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N reflects moderate severity: network-accessible, low attack complexity, requires low privileges (authentication), and impacts integrity across scope boundaries with no confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with access to the Frigate web interface or API submits a request to the /ffprobe endpoint with a malicious URL such as 'http://169.254.169.254/latest/meta-data/' (AWS metadata service) or 'http://192.168.1.1/admin' (internal router). The Frigate server, running with network access to internal resources, automatically makes the HTTP request and returns the response to the attacker, exposing cloud credentials, internal service configurations, or revealing open internal services. …
Remediation Upgrade Frigate to version 0.16.3 or later immediately (see vendor release at https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3 and advisory at https://github.com/blakeblackshear/frigate/security/advisories/GHSA-j6g3-3j3q-c2xv). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-13772 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy