CVE-2026-33469 Overview
CVE-2026-33469 is a Broken Access Control vulnerability affecting Frigate, a popular open-source network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through the /api/config/raw endpoint. This exposes sensitive values that are intentionally redacted from the /api/config endpoint, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in config.yml.
Critical Impact
Authenticated non-admin users can access sensitive credentials and secrets that should only be visible to administrators, potentially leading to unauthorized access to cameras, MQTT brokers, and other integrated systems.
Affected Products
- Frigate NVR version 0.17.0
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33469 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33469
Vulnerability Analysis
This vulnerability represents a classic Broken Access Control (CWE-863) issue introduced during an API refactoring effort. The admin-by-default API refactor intended to restrict sensitive endpoints to administrative users only, but the /api/config/raw endpoint was inadvertently left accessible to any authenticated user. While the /api/config/raw_paths endpoint was correctly restricted to admin-only access, the /api/config/raw endpoint retained its previous permissive access control.
The exposure is particularly concerning because the raw configuration file contains unredacted secrets. The standard /api/config endpoint properly sanitizes sensitive data before returning it to non-admin users, but the raw endpoint bypasses this protection entirely.
Root Cause
The vulnerability stems from an incomplete access control implementation during the admin-by-default API refactoring process. When updating the API to require administrative privileges for sensitive operations, the development team applied the admin-only restriction to /api/config/raw_paths but failed to apply the same restriction to the related /api/config/raw endpoint. This inconsistency created a bypass where authenticated users could access the unfiltered configuration data.
Attack Vector
The attack vector is network-based and requires only low privileges (authenticated user access). An attacker who has obtained valid credentials for any non-admin Frigate user account can exploit this vulnerability by making a simple authenticated GET request to the /api/config/raw endpoint.
The vulnerability does not require any user interaction and can be exploited remotely. Upon successful exploitation, the attacker gains access to sensitive configuration data including camera credentials (usernames/passwords for IP cameras), go2rtc streaming service credentials, MQTT broker passwords, proxy secrets, and any other sensitive values stored in the configuration file.
This information could be leveraged for further attacks such as unauthorized access to surveillance cameras, manipulation of MQTT-based home automation systems, or lateral movement within the network.
Detection Methods for CVE-2026-33469
Indicators of Compromise
- Unusual access patterns to /api/config/raw endpoint from non-admin user accounts
- Multiple rapid requests to configuration endpoints from the same session
- Access logs showing non-admin users querying sensitive API endpoints
- Unexpected credential usage on camera streams or MQTT brokers from new sources
Detection Strategies
- Monitor API access logs for requests to /api/config/raw from non-administrative user sessions
- Implement alerting on configuration endpoint access patterns that deviate from normal admin behavior
- Review authentication logs for any accounts that have accessed sensitive endpoints inappropriately
- Deploy application-layer firewall rules to log and alert on raw configuration endpoint access
Monitoring Recommendations
- Enable detailed logging for all API endpoints in Frigate, particularly configuration-related endpoints
- Set up alerts for any access to /api/config/raw by non-admin users
- Monitor for signs of credential misuse on connected systems (cameras, MQTT brokers)
- Implement periodic review of user access patterns to identify potential exploitation attempts
How to Mitigate CVE-2026-33469
Immediate Actions Required
- Upgrade Frigate to version 0.17.1 or later immediately
- Audit user accounts to identify and remove unnecessary non-admin users
- Rotate all credentials stored in the Frigate configuration file (camera passwords, MQTT passwords, proxy secrets)
- Review access logs for any suspicious access to the /api/config/raw endpoint
Patch Information
Frigate version 0.17.1 contains the official patch for this vulnerability. The fix properly applies admin-only access restrictions to the /api/config/raw endpoint, aligning it with the intended security model of the admin-by-default API refactor. Users should update to this version or later as soon as possible.
For more details, refer to the GitHub Security Advisory.
Workarounds
- Restrict network access to the Frigate web interface to trusted administrator-only networks
- Implement a reverse proxy with additional access controls to block non-admin access to /api/config/raw
- Remove or disable all non-admin user accounts until the patch can be applied
- Place Frigate behind a VPN to limit exposure to authenticated users on the trusted network
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
