CVE-2026-33469

Summary

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through /api/config/raw. This exposes sensitive values that are intentionally redacted from /api/config, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in config.yml. This appears to be a broken access control issue introduced by the admin-by-default API refactor: /api/config/raw_paths is admin-only, but /api/config/raw is still accessible to any authenticated user. Version 0.17.1 contains a patch.

Affected Software

VendorProductVersion RangeStatus
blakeblackshearfrigate= 0.17.0affected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References