CVE-2026-33125 Overview
CVE-2026-33125 is a Broken Access Control vulnerability affecting Frigate, a popular open-source network video recorder (NVR) with real-time local object detection for IP cameras. In versions 0.16.2 and below, users assigned the viewer role can improperly delete admin and other low-privileged user accounts. This improper authorization vulnerability (CWE-285) can lead to denial of service conditions and compromise data integrity within the Frigate application.
Critical Impact
Low-privileged viewer accounts can delete administrator and other user accounts, potentially locking legitimate administrators out of the system and disrupting video surveillance operations.
Affected Products
- Frigate versions 0.16.2 and below
- Frigate NVR installations with multiple user roles configured
- Self-hosted Frigate deployments with viewer-level access granted to users
Discovery Timeline
- 2026-03-20 - CVE-2026-33125 published to NVD
- 2026-03-20 - Last updated in NVD database
Technical Details for CVE-2026-33125
Vulnerability Analysis
This vulnerability stems from improper authorization checks within Frigate's user management functionality. The application fails to properly validate whether a user initiating an account deletion request possesses sufficient privileges to perform that action. As a result, users with the low-privileged "viewer" role can successfully execute account deletion operations that should be restricted to administrative users only.
The exploitation of this vulnerability does not require any user interaction and can be performed remotely over the network by any authenticated user with viewer-level access. The impact is significant as it allows complete compromise of user account integrity without affecting data confidentiality directly.
Root Cause
The root cause is classified as CWE-285: Improper Authorization. The Frigate application's access control mechanism fails to enforce proper role-based restrictions on the user deletion endpoint. When processing deletion requests, the backend does not adequately verify that the requesting user has administrative privileges, allowing viewer-role users to bypass intended authorization checks.
Attack Vector
The attack vector is network-based and requires low privileges (an authenticated viewer account). An attacker who has obtained or been granted viewer-level access to a Frigate installation can:
- Authenticate to the Frigate application with viewer credentials
- Craft or invoke requests to the user management deletion functionality
- Target admin accounts or other user accounts for deletion
- Successfully remove accounts without proper authorization checks preventing the action
This can result in denial of service by locking administrators out of their own systems, and compromises the integrity of user management data. The vulnerability does not expose confidential information but has high impact on both integrity and availability.
Detection Methods for CVE-2026-33125
Indicators of Compromise
- Unexpected user account deletions appearing in Frigate logs
- Missing administrator accounts that were previously configured
- Viewer-role users accessing user management API endpoints
- Audit log entries showing account deletions initiated by non-admin users
Detection Strategies
- Monitor Frigate application logs for user deletion events, correlating them with the initiating user's role
- Implement API-level monitoring to detect viewer-role accounts accessing administrative endpoints
- Configure alerting for any changes to the admin user accounts
- Review authentication and authorization logs for anomalous patterns
Monitoring Recommendations
- Enable verbose logging for user management operations in Frigate
- Set up automated alerts when administrator accounts are modified or deleted
- Regularly audit user accounts and their assigned roles within the Frigate deployment
- Monitor network traffic to Frigate instances for unusual API call patterns
How to Mitigate CVE-2026-33125
Immediate Actions Required
- Upgrade Frigate to version 0.16.3 or later immediately
- Audit all existing user accounts to ensure no unauthorized deletions have occurred
- Review access logs for any signs of exploitation prior to patching
- Restrict network access to Frigate instances to trusted networks where possible
Patch Information
The vulnerability has been patched in Frigate version 0.16.3. Users should upgrade immediately by pulling the latest release from the official Frigate GitHub repository. The security advisory with full details is available at the GitHub Security Advisory GHSA-vg28-83rp-8xx4.
Workarounds
- Temporarily disable or remove viewer-role accounts until the patch can be applied
- Implement network-level access controls to restrict who can reach the Frigate web interface
- Place Frigate behind a reverse proxy with additional authentication requirements
- Monitor user management API endpoints and block suspicious requests at the network layer
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
