CVE-2026-33124

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/{username}/password endpoint. Changing a password does not invalidate existing JWT tokens, and there is no validation of password strength. If an attacker obtains a valid session token (e.g., via accidentally exposed JWT, stolen cookie, XSS, compromised device, or sniffing over HTTP), they can change the victim’s password and gain permanent control of the account. Since password changes do not invalidate existing JWT tokens, session hijacks persist even after a password reset. Additionally, the lack of password strength validation exposes accounts to brute-force attacks. This issue has been resolved in version 0.17.0-beta1.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/blakeblackshear/frigate/commit/152e58520614610988bff3b6ff55d0aefd89c1b2	Patch
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-24p8-r573-vwr2	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-20 10:16

Updated : 2026-03-23 15:50

NVD link : CVE-2026-33124

Mitre link : CVE-2026-33124

CVE.ORG link : CVE-2026-33124

JSON object : View

Products Affected

frigate

frigate

CWE

CWE-287

Improper Authentication

{"id": "CVE-2026-33124", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T10:16:18.870", "references": [{"url": "https://github.com/blakeblackshear/frigate/commit/152e58520614610988bff3b6ff55d0aefd89c1b2", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-24p8-r573-vwr2", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/{username}/password endpoint. Changing a password does not invalidate existing JWT tokens, and there is no validation of password strength. If an attacker obtains a valid session token (e.g., via accidentally exposed JWT, stolen cookie, XSS, compromised device, or sniffing over HTTP), they can change the victim\u2019s password and gain permanent control of the account. Since password changes do not invalidate existing JWT tokens, session hijacks persist even after a password reset. Additionally, the lack of password strength validation exposes accounts to brute-force attacks. This issue has been resolved in version 0.17.0-beta1."}, {"lang": "es", "value": "Frigate es un grabador de video en red (NVR) con detecci\u00f3n local de objetos en tiempo real para c\u00e1maras IP. Las versiones anteriores a la 0.17.0-beta1 permiten a cualquier usuario autenticado cambiar su propia contrase\u00f1a sin verificar la contrase\u00f1a actual a trav\u00e9s del endpoint /users/{username}/password. Cambiar una contrase\u00f1a no invalida los tokens JWT existentes y no hay validaci\u00f3n de la fortaleza de la contrase\u00f1a. Si un atacante obtiene un token de sesi\u00f3n v\u00e1lido (por ejemplo, a trav\u00e9s de un JWT expuesto accidentalmente, una cookie robada, XSS, un dispositivo comprometido o el rastreo por HTTP), puede cambiar la contrase\u00f1a de la v\u00edctima y obtener control permanente de la cuenta. Dado que los cambios de contrase\u00f1a no invalidan los tokens JWT existentes, los secuestros de sesi\u00f3n persisten incluso despu\u00e9s de un restablecimiento de contrase\u00f1a. Adem\u00e1s, la falta de validaci\u00f3n de la fortaleza de la contrase\u00f1a expone las cuentas a ataques de fuerza bruta. Este problema se ha resuelto en la versi\u00f3n 0.17.0-beta1."}], "lastModified": "2026-03-23T15:50:07.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C2130163-BC8A-4F42-9646-76319E812DDE", "versionEndExcluding": "0.17.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}