Frigate
Monthly
Frigate network video recorder versions prior to 0.17.1 allow authenticated users with restricted camera access to enumerate and retrieve snapshots from unauthorized cameras through a two-step authorization bypass in the timeline and snapshot APIs. An attacker with low-privilege credentials limited to one camera can exploit missing validation in the snapshot-clean.webp endpoint to access video evidence from other cameras in the system, compromising the confidentiality of surveillance data across the entire installation. A proof-of-concept exists, though no confirmation of active exploitation in the wild has been reported.
Broken access control in Frigate 0.17.0 allows authenticated non-admin users to retrieve the complete raw configuration file via the `/api/config/raw` endpoint, exposing camera credentials, RTMP stream passwords, MQTT secrets, and proxy authentication tokens that are intentionally redacted from the standard `/api/config` API. The vulnerability stems from inconsistent authorization enforcement between `/api/config/raw_paths` (admin-only) and `/api/config/raw` (authenticated-user-accessible), introduced during an admin-by-default API refactor. Patch version 0.17.1 is available; publicly available exploit code exists but the vulnerability is not confirmed as actively exploited in the wild.
Frigate versions prior to 0.16.3 contain a Server-Side Request Forgery (SSRF) vulnerability in the /ffprobe endpoint that accepts arbitrary user-controlled URLs without proper validation. An authenticated attacker can leverage this endpoint to make HTTP requests to internal network resources, cloud metadata services (such as AWS IMDSv1), or perform reconnaissance activities like port scanning against systems accessible from the Frigate server. The vulnerability requires low privileges (authenticated user) and has a network attack vector with low complexity, making it moderately exploitable in environments where Frigate is exposed to untrusted users.
{username}/password endpoint, combined with a failure to invalidate existing JWT tokens upon password change and absence of password strength validation. An attacker who obtains a valid session token through XSS, accidental exposure, cookie theft, compromised device, or unencrypted HTTP sniffing can permanently hijack victim accounts by changing their password while maintaining session access through non-invalidated tokens. This vulnerability has not been reported as actively exploited in the wild (KEV status unknown), but the straightforward nature of the attack and the common exposure vectors for JWT tokens make this a practical threat requiring immediate patching.
Frigate NVR has a command injection vulnerability (CVSS 9.1) allowing authenticated attackers to execute OS commands on the network video recorder.
Frigate network video recorder versions prior to 0.17.1 allow authenticated users with restricted camera access to enumerate and retrieve snapshots from unauthorized cameras through a two-step authorization bypass in the timeline and snapshot APIs. An attacker with low-privilege credentials limited to one camera can exploit missing validation in the snapshot-clean.webp endpoint to access video evidence from other cameras in the system, compromising the confidentiality of surveillance data across the entire installation. A proof-of-concept exists, though no confirmation of active exploitation in the wild has been reported.
Broken access control in Frigate 0.17.0 allows authenticated non-admin users to retrieve the complete raw configuration file via the `/api/config/raw` endpoint, exposing camera credentials, RTMP stream passwords, MQTT secrets, and proxy authentication tokens that are intentionally redacted from the standard `/api/config` API. The vulnerability stems from inconsistent authorization enforcement between `/api/config/raw_paths` (admin-only) and `/api/config/raw` (authenticated-user-accessible), introduced during an admin-by-default API refactor. Patch version 0.17.1 is available; publicly available exploit code exists but the vulnerability is not confirmed as actively exploited in the wild.
Frigate versions prior to 0.16.3 contain a Server-Side Request Forgery (SSRF) vulnerability in the /ffprobe endpoint that accepts arbitrary user-controlled URLs without proper validation. An authenticated attacker can leverage this endpoint to make HTTP requests to internal network resources, cloud metadata services (such as AWS IMDSv1), or perform reconnaissance activities like port scanning against systems accessible from the Frigate server. The vulnerability requires low privileges (authenticated user) and has a network attack vector with low complexity, making it moderately exploitable in environments where Frigate is exposed to untrusted users.
{username}/password endpoint, combined with a failure to invalidate existing JWT tokens upon password change and absence of password strength validation. An attacker who obtains a valid session token through XSS, accidental exposure, cookie theft, compromised device, or unencrypted HTTP sniffing can permanently hijack victim accounts by changing their password while maintaining session access through non-invalidated tokens. This vulnerability has not been reported as actively exploited in the wild (KEV status unknown), but the straightforward nature of the attack and the common exposure vectors for JWT tokens make this a practical threat requiring immediate patching.
Frigate NVR has a command injection vulnerability (CVSS 9.1) allowing authenticated attackers to execute OS commands on the network video recorder.