CVE-2026-33469
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through /api/config/raw. This exposes sensitive values that are intentionally redacted from /api/config, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in config.yml. This appears to be a broken access control issue introduced by the admin-by-default API refactor: /api/config/raw_paths is admin-only, but /api/config/raw is still accessible to any authenticated user. Version 0.17.1 contains a patch.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| blakeblackshear | frigate | = 0.17.0 | affected |
Weaknesses
- CWE-863: CWE-863: Incorrect Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.