CVE-2026-33470

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, a low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible through a chain of two authorization problems: `/api/timeline` returns timeline entries for cameras outside the caller's allowed camera set, then `/api/events/{event_id}/snapshot-clean.webp` declares `Depends(require_camera_access)` but never actually validates `event.camera` after looking up the event. Together, this allows a restricted user to enumerate event IDs from unauthorized cameras and then fetch clean snapshots for those events. Version 0.17.1 fixes the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-26 17:16

Updated : 2026-03-30 13:26

NVD link : CVE-2026-33470

Mitre link : CVE-2026-33470

CVE.ORG link : CVE-2026-33470

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

CWE-863

Incorrect Authorization

{"id": "CVE-2026-33470", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-26T17:16:41.320", "references": [{"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g", "source": "security-advisories@github.com"}, {"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}, {"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, a low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible through a chain of two authorization problems: `/api/timeline` returns timeline entries for cameras outside the caller's allowed camera set, then `/api/events/{event_id}/snapshot-clean.webp` declares `Depends(require_camera_access)` but never actually validates `event.camera` after looking up the event. Together, this allows a restricted user to enumerate event IDs from unauthorized cameras and then fetch clean snapshots for those events. Version 0.17.1 fixes the issue."}, {"lang": "es", "value": "Frigate es un grabador de v\u00eddeo en red (NVR) con detecci\u00f3n local de objetos en tiempo real para c\u00e1maras IP. En la versi\u00f3n 0.17.0, un usuario autenticado con bajos privilegios restringido a una c\u00e1mara puede acceder a instant\u00e1neas de otras c\u00e1maras. Esto es posible a trav\u00e9s de una cadena de dos problemas de autorizaci\u00f3n: `/api/timeline` devuelve entradas de la l\u00ednea de tiempo para c\u00e1maras fuera del conjunto de c\u00e1maras permitidas del llamador, luego `/api/events/{event_id}/snapshot-clean.webp` declara `Depends(require_camera_access)` pero nunca valida realmente `event.camera` despu\u00e9s de buscar el evento. Juntos, esto permite a un usuario restringido enumerar IDs de eventos de c\u00e1maras no autorizadas y luego obtener instant\u00e1neas limpias para esos eventos. La versi\u00f3n 0.17.1 corrige el problema."}], "lastModified": "2026-03-30T13:26:50.827", "sourceIdentifier": "security-advisories@github.com"}