CVE-2026-25643
Unknown Unknown - Not Provided
Critical Remote Command Execution in Frigate go2rtc Integration

Publication date: 2026-02-06

Last updated on: 2026-02-11

Assigner: GitHub, Inc.

Description
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25643
EUVD
EUVD-2026-5586
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
frigate frigate to 0.16.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25643 is a critical Remote Command Execution (RCE) vulnerability in the Frigate network video recorder software, specifically in its integration with the go2rtc service. The vulnerability arises because Frigate does not sanitize user input in the video stream configuration file (config.yaml), allowing an attacker to inject and execute arbitrary system commands via the exec: directive.

This flaw can be exploited by an administrator or by anyone if the Frigate instance is exposed to the internet without authentication. The go2rtc service executes these injected commands without restrictions, and since Frigate often runs in privileged mode, the attacker can gain elevated capabilities, including container escape and host system compromise.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote command execution, exposure of sensitive credentials, and full control over the Frigate system and potentially the host machine.

  • An attacker can exfiltrate secrets and environment variables such as RTSP usernames, passwords, and API keys.
  • An attacker can establish an interactive reverse shell, gaining root access inside the container.
  • In privileged deployments, the attacker can escape the container and compromise the host system, including mounting physical disks and modifying the host filesystem.

Overall, this leads to a complete loss of confidentiality, integrity, and availability of the affected system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking the version of the Frigate software in use and inspecting the video stream configuration file (config.yaml) for the presence of the "exec:" directive, which allows execution of system commands.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves verifying if the Frigate version is prior to 0.16.4, as versions before this are vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing the config.yaml file for any stream definitions using the "exec:" prefix can indicate potential exploitation or risk.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Check Frigate version: `frigate --version` or check the container image tag if running in a container.'}, {'type': 'list_item', 'content': "Inspect the config.yaml file for exec directives: `grep -r 'exec:' /path/to/config.yaml`"}, {'type': 'list_item', 'content': 'Check for suspicious files or environment dumps inside the container that may indicate exploitation.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation step is to upgrade Frigate to version 0.16.4 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, ensure that the Frigate instance is not exposed to the open internet without authentication, as unauthenticated access allows full exploitation.'}, {'type': 'paragraph', 'content': 'Restrict administrative access to trusted users only, and avoid using the "exec:" directive in the config.yaml file.'}, {'type': 'paragraph', 'content': 'Restart the Frigate service after applying configuration changes to ensure no malicious streams are active.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25643. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart