CVE-2026-33125
published 2026-03-20CVE-2026-33125: Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can…
PriorityP347high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
EPSS
0.24%
15.3th percentile
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version 0.16.3.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blakeblackshear | frigate | < 0.16.3 | 0.16.3 |
| frigate | frigate | < 0.16.3 | 0.16.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Frigte has broken access control viewer user can delete admin and other users account
ghsa·2026-03-18
CVE-2026-33125 [HIGH] CWE-285 Frigte has broken access control viewer user can delete admin and other users account
Frigte has broken access control viewer user can delete admin and other users account
### Summary
Users with the viewer role can delete admin and other users account. It this leads to denial of service and affects data integrity.
### Details
Endpoint `DELETE /api/users/admin` is enable to anonymous user.
### PoC
I deleted admin user on `demo.frigate.video`:
### Impact
It this leads to denial of service and affects data integrity.
### Recommended Fixes
Restrict access to the endpoint to authenticated admin users only:
Add `dependencies=[Depends(require_role(["admin"]))])` to this endpoint.
OSV
Frigte has broken access control viewer user can delete admin and other users account
osv·2026-03-18
CVE-2026-33125 [HIGH] Frigte has broken access control viewer user can delete admin and other users account
Frigte has broken access control viewer user can delete admin and other users account
### Summary
Users with the viewer role can delete admin and other users account. It this leads to denial of service and affects data integrity.
### Details
Endpoint `DELETE /api/users/admin` is enable to anonymous user.
### PoC
I deleted admin user on `demo.frigate.video`:
### Impact
It this leads to denial of service and affects data integrity.
### Recommended Fixes
Restrict access to the endpoint to authenticated admin users only:
Add `dependencies=[Depends(require_role(["admin"]))])` to this endpoint.
No detection rules found.
No public exploits indexed.
2026-03-20
Published