CVE-2026-33124
Authentication Bypass and Persistent Session Hijack in Frigate NVR
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frigate | frigate | to 0.17.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33124 is a vulnerability in the Frigate network video recorder software versions prior to 0.17.0-beta1. It allows any authenticated user to change their own password without verifying the current password via the /users/{username}/password endpoint.'}, {'type': 'paragraph', 'content': "Additionally, changing the password does not invalidate existing JWT tokens, meaning that if an attacker obtains a valid session token, they can change the victim's password and maintain permanent control of the account."}, {'type': 'paragraph', 'content': 'There is also no validation of password strength, which exposes accounts to brute-force attacks.'}] [2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "If an attacker obtains a valid session token through means such as exposed JWTs, stolen cookies, cross-site scripting (XSS), compromised devices, or sniffing over HTTP, they can change the victim's password without knowing the current password."}, {'type': 'paragraph', 'content': 'Because existing JWT tokens remain valid after a password change, the attacker can maintain persistent access to the account even after the password is reset.'}, {'type': 'paragraph', 'content': 'The lack of password strength validation also increases the risk of brute-force attacks, potentially allowing attackers to guess weak passwords and gain unauthorized access.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Frigate version in use is prior to 0.17.0-beta1, as those versions allow password changes without verifying the current password and do not invalidate existing JWT tokens.
To detect exploitation or presence of this vulnerability on your system, you can monitor requests to the endpoint /users/{username}/password to see if password changes are occurring without verification of the old password.
Additionally, inspecting JWT tokens for their issuance time (iat claim) and correlating with password change events can help identify if old tokens remain valid after password changes.
Suggested commands or methods include:
- Use network traffic monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP requests to the /users/{username}/password endpoint.
- Check application logs for password change requests and verify if the old password was required or logged.
- Query the database for the presence and timestamps of password changes and compare with JWT token issuance times if accessible.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Frigate to version 0.17.0-beta1 or later, where this vulnerability has been fixed.
If upgrading is not immediately possible, consider the following:
- Require the current password (old_password) for all password change requests to prevent unauthorized changes.
- Invalidate all existing JWT tokens and sessions immediately after a password change to prevent session hijacking.
- Enforce strong password policies including minimum length, uppercase letters, digits, and special characters to reduce brute-force risks.
- Monitor and audit authentication logs for suspicious password change activities.