CVE-2026-33124 Overview
CVE-2026-33124 is a high-severity authentication bypass vulnerability affecting Frigate, a popular open-source network video recorder (NVR) with realtime local object detection for IP cameras. The vulnerability allows any authenticated user to change their own password without verifying the current password through the /users/{username}/password endpoint. This design flaw, combined with inadequate session management and missing password strength validation, creates multiple attack vectors for account takeover.
Critical Impact
Attackers who obtain a valid session token can permanently take control of user accounts by changing passwords without verification, with session hijacking persisting even after password resets due to non-invalidated JWT tokens.
Affected Products
- Frigate NVR versions prior to 0.17.0-beta1
- All installations using the vulnerable /users/{username}/password endpoint
- Deployments accessible over HTTP without TLS encryption
Discovery Timeline
- March 20, 2026 - CVE-2026-33124 published to NVD
- March 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33124
Vulnerability Analysis
This vulnerability stems from improper authentication (CWE-287) in Frigate's user password management functionality. The core issue is that the password change endpoint does not require users to provide their current password as verification before setting a new one. This fundamentally breaks the security model that should prevent unauthorized password modifications.
The vulnerability is compounded by two additional security weaknesses. First, when a password is changed, existing JWT tokens remain valid rather than being invalidated. This means that even if a legitimate user changes their password after detecting suspicious activity, an attacker who has already obtained a session token retains access. Second, the absence of password strength validation allows attackers to set weak passwords, making accounts vulnerable to subsequent brute-force attacks.
Root Cause
The root cause is a missing authentication check in the password change workflow. The /users/{username}/password endpoint accepts password change requests from any authenticated session without validating that the requester knows the current password. This violates the security principle that sensitive account modifications should require re-authentication.
Attack Vector
This vulnerability is exploitable over the network by any attacker who obtains a valid JWT session token. Token acquisition can occur through multiple vectors including:
- Accidental exposure of JWT tokens in logs or URLs
- Stolen cookies from compromised browsers or devices
- Cross-site scripting (XSS) attacks that exfiltrate tokens
- Network sniffing when Frigate is deployed over HTTP without TLS
- Compromised devices with active Frigate sessions
Once an attacker obtains a valid session token, they can invoke the password change endpoint to set a new password of their choosing. The victim loses access to their account while the attacker gains permanent control. Because JWT tokens are not invalidated upon password change, even if the victim regains access through an administrator and changes their password again, any previously compromised tokens remain valid for the attacker.
The attack is particularly dangerous in home surveillance and security camera deployments where Frigate is commonly used, as account takeover could provide attackers with access to live video feeds and recorded footage.
Detection Methods for CVE-2026-33124
Indicators of Compromise
- Unexpected password change events in application logs without corresponding user activity
- Multiple password changes for the same account in a short time period
- Password modification requests originating from unusual IP addresses or geographic locations
- Active sessions persisting after password resets
- User reports of being locked out of accounts without initiating password changes
Detection Strategies
- Monitor the /users/{username}/password endpoint for unusual request patterns or frequencies
- Implement alerting for password change events, especially those occurring outside normal user activity windows
- Track and correlate session token usage across multiple IP addresses that may indicate token theft
- Review web server access logs for direct API calls to password change endpoints without preceding authentication flows
Monitoring Recommendations
- Enable detailed logging for all authentication and account modification events in Frigate
- Deploy network monitoring to detect HTTP traffic to Frigate instances that should be using HTTPS
- Implement session activity tracking to identify tokens being used from multiple disparate locations
- Configure alerts for bulk or automated requests to user management endpoints
How to Mitigate CVE-2026-33124
Immediate Actions Required
- Upgrade Frigate to version 0.17.0-beta1 or later immediately
- Force password resets for all user accounts after upgrading to ensure any compromised tokens are invalidated
- Review access logs for signs of unauthorized password changes or suspicious session activity
- Ensure Frigate is deployed behind HTTPS to prevent session token interception via network sniffing
Patch Information
This vulnerability has been resolved in Frigate version 0.17.0-beta1. The fix is available through the official GitHub commit. Additional details are provided in the GitHub Security Advisory GHSA-24p8-r573-vwr2. Organizations should update to the patched version as soon as possible.
Workarounds
- Restrict network access to Frigate instances using firewall rules or VPN requirements until patching is complete
- Implement a reverse proxy with additional authentication layers in front of Frigate
- Disable or restrict access to the /users/{username}/password endpoint at the network level if the application cannot be immediately updated
- Monitor all user accounts for suspicious activity and revoke sessions if compromise is suspected
# Example: Restrict Frigate access to local network only using iptables
iptables -A INPUT -p tcp --dport 5000 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
