CVE-2026-25643
Critical Remote Command Execution in Frigate go2rtc Integration
Publication date: 2026-02-06
Last updated on: 2026-02-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frigate | frigate | to 0.16.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| CWE-250 | The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25643 is a critical Remote Command Execution (RCE) vulnerability in the Frigate network video recorder software, specifically in its integration with the go2rtc service. The vulnerability arises because Frigate does not sanitize user input in the video stream configuration file (config.yaml), allowing an attacker to inject and execute arbitrary system commands via the exec: directive.
This flaw can be exploited by an administrator or by anyone if the Frigate instance is exposed to the internet without authentication. The go2rtc service executes these injected commands without restrictions, and since Frigate often runs in privileged mode, the attacker can gain elevated capabilities, including container escape and host system compromise.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote command execution, exposure of sensitive credentials, and full control over the Frigate system and potentially the host machine.
- An attacker can exfiltrate secrets and environment variables such as RTSP usernames, passwords, and API keys.
- An attacker can establish an interactive reverse shell, gaining root access inside the container.
- In privileged deployments, the attacker can escape the container and compromise the host system, including mounting physical disks and modifying the host filesystem.
Overall, this leads to a complete loss of confidentiality, integrity, and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking the version of the Frigate software in use and inspecting the video stream configuration file (config.yaml) for the presence of the "exec:" directive, which allows execution of system commands.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves verifying if the Frigate version is prior to 0.16.4, as versions before this are vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing the config.yaml file for any stream definitions using the "exec:" prefix can indicate potential exploitation or risk.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Check Frigate version: `frigate --version` or check the container image tag if running in a container.'}, {'type': 'list_item', 'content': "Inspect the config.yaml file for exec directives: `grep -r 'exec:' /path/to/config.yaml`"}, {'type': 'list_item', 'content': 'Check for suspicious files or environment dumps inside the container that may indicate exploitation.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation step is to upgrade Frigate to version 0.16.4 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, ensure that the Frigate instance is not exposed to the open internet without authentication, as unauthenticated access allows full exploitation.'}, {'type': 'paragraph', 'content': 'Restrict administrative access to trusted users only, and avoid using the "exec:" directive in the config.yaml file.'}, {'type': 'paragraph', 'content': 'Restart the Frigate service after applying configuration changes to ensure no malicious streams are active.'}] [1, 2]