CVE-2026-33469

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config`, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in `config.yml`. This appears to be a broken access control issue introduced by the admin-by-default API refactor: `/api/config/raw_paths` is admin-only, but `/api/config/raw` is still accessible to any authenticated user. Version 0.17.1 contains a patch.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-26 17:16

Updated : 2026-03-30 13:26

NVD link : CVE-2026-33469

Mitre link : CVE-2026-33469

CVE.ORG link : CVE-2026-33469

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-33469", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-26T17:16:41.157", "references": [{"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "source": "security-advisories@github.com"}, {"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config`, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in `config.yml`. This appears to be a broken access control issue introduced by the admin-by-default API refactor: `/api/config/raw_paths` is admin-only, but `/api/config/raw` is still accessible to any authenticated user. Version 0.17.1 contains a patch."}, {"lang": "es", "value": "Frigate es un grabador de v\u00eddeo en red (NVR) con detecci\u00f3n de objetos local en tiempo real para c\u00e1maras IP. En la versi\u00f3n 0.17.0, un usuario autenticado no administrador puede recuperar la configuraci\u00f3n completa sin procesar de Frigate a trav\u00e9s de `/api/config/raw`. Esto expone valores sensibles que son intencionalmente redactados de `/api/config`, incluyendo credenciales de c\u00e1mara, credenciales de flujo de go2rtc, contrase\u00f1as MQTT, secretos de proxy y cualquier otro secreto almacenado en `config.yml`. Esto parece ser un problema de control de acceso roto introducido por la refactorizaci\u00f3n de la API de administrador por defecto: `/api/config/raw_paths` es solo para administradores, pero `/api/config/raw` sigue siendo accesible para cualquier usuario autenticado. La versi\u00f3n 0.17.1 contiene un parche."}], "lastModified": "2026-03-30T13:26:50.827", "sourceIdentifier": "security-advisories@github.com"}