Skip to main content

Frigate EUVD-2026-16267

| CVE-2026-33470 MEDIUM
Missing Authorization (CWE-862)
2026-03-26 GitHub_M
Authentication Bypass Frigate
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 17:15 euvd
EUVD-2026-16267
Analysis Generated
Mar 26, 2026 - 17:15 vuln.today
CVE Published
Mar 26, 2026 - 17:06 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, a low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible through a chain of two authorization problems: /api/timeline returns timeline entries for cameras outside the caller's allowed camera set, then /api/events/{event_id}/snapshot-clean.webp declares Depends(require_camera_access) but never actually validates event.camera after looking up the event. Together, this allows a restricted user to enumerate event IDs from unauthorized cameras and then fetch clean snapshots for those events. Version 0.17.1 fixes the issue.

AnalysisAI

Frigate network video recorder versions prior to 0.17.1 allow authenticated users with restricted camera access to enumerate and retrieve snapshots from unauthorized cameras through a two-step authorization bypass in the timeline and snapshot APIs. An attacker with low-privilege credentials limited to one camera can exploit missing validation in the snapshot-clean.webp endpoint to access video evidence from other cameras in the system, compromising the confidentiality of surveillance data across the entire installation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS score of 6.5 (Medium severity) reflects the Medium attack vector (network-based), Low attack complexity (no special conditions required), Low privilege requirements (authenticated user), and high confidentiality impact (complete disclosure of unauthorized camera snapshots). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with Frigate credentials limited to monitoring a single front-door camera queries the /api/timeline endpoint and discovers event IDs belonging to other cameras (e.g., backyard, side-gate) that they should not have access to. The attacker then constructs requests to /api/events/{discovered_event_id}/snapshot-clean.webp for these unauthorized event IDs; due to the missing camera validation in the endpoint handler, the requests succeed and return clean snapshots from cameras outside their authorization scope. …
Remediation Upgrade Frigate to version 0.17.1 or later immediately, as the vendor has released a patch that addresses both the timeline authorization bypass and the snapshot endpoint validation flaw. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-16267 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy