Skip to main content

Frigate EUVD-2026-16266

| CVE-2026-33469 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-26 GitHub_M
Authentication Bypass Frigate
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 17:15 euvd
EUVD-2026-16266
Analysis Generated
Mar 26, 2026 - 17:15 vuln.today
CVE Published
Mar 26, 2026 - 17:05 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through /api/config/raw. This exposes sensitive values that are intentionally redacted from /api/config, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in config.yml. This appears to be a broken access control issue introduced by the admin-by-default API refactor: /api/config/raw_paths is admin-only, but /api/config/raw is still accessible to any authenticated user. Version 0.17.1 contains a patch.

AnalysisAI

Broken access control in Frigate 0.17.0 allows authenticated non-admin users to retrieve the complete raw configuration file via the /api/config/raw endpoint, exposing camera credentials, RTMP stream passwords, MQTT secrets, and proxy authentication tokens that are intentionally redacted from the standard /api/config API. The vulnerability stems from inconsistent authorization enforcement between /api/config/raw_paths (admin-only) and /api/config/raw (authenticated-user-accessible), introduced during an admin-by-default API refactor. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS 3.1 score of 6.5 (Medium-High) reflects a network-accessible, low-complexity attack requiring only low privileges (authenticated user), with high confidentiality impact but no integrity or availability impact (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with limited read-only permissions on a shared Frigate instance (e.g., a family member or employee with basic camera-viewing access) makes an HTTP GET request to `/api/config/raw` with a valid API token or session cookie. The endpoint returns the unfiltered configuration YAML file, exposing plaintext MQTT broker passwords, camera stream credentials, and proxy secrets. …
Remediation Upgrade Frigate to version 0.17.1 or later immediately to receive the vendor-released patch that restores admin-only access control to the `/api/config/raw` endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems running user can retrieve the full raw Frigate configuration and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-16266 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy