CVE-2026-33125
Privilege Escalation in Frigate NVR Allows Account Deletion
Publication date: 2026-03-20
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| frigate | frigate | to 0.16.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33125 is a high-severity broken access control vulnerability in the Frigate network video recorder software, specifically in versions 0.16.2 and below.'}, {'type': 'paragraph', 'content': "The vulnerability allows users with the 'viewer' role to delete admin and other user accounts by accessing the DELETE /api/users/admin endpoint, which is improperly accessible even to anonymous users."}, {'type': 'paragraph', 'content': 'This happens because the system fails to enforce proper authorization checks, allowing unauthorized users to perform sensitive actions.'}] [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to denial of service (DoS) by deleting admin accounts, which disrupts the normal operation of the Frigate system.
It also compromises data integrity by allowing unauthorized modification of user accounts.
Since the attack requires only low privileges (viewer role) and no user interaction, it is relatively easy to exploit remotely.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring access to the DELETE /api/users/admin endpoint, which should be restricted to admin users only. Unauthorized access or deletion attempts by users with the viewer role or anonymous users indicate exploitation.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or web server logs to detect suspicious DELETE requests to /api/users/admin from non-admin users.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include:'}, {'type': 'list_item', 'content': "Using grep on server logs to find DELETE requests to the vulnerable endpoint: `grep 'DELETE /api/users/admin' /var/log/frigate/access.log`"}, {'type': 'list_item', 'content': "Using curl to test if the endpoint is accessible without proper admin authorization: `curl -X DELETE http://<frigate-server>/api/users/admin -H 'Authorization: Bearer <viewer-token>'`"}, {'type': 'list_item', 'content': 'Using network packet capture tools like tcpdump or Wireshark to filter HTTP DELETE requests to /api/users/admin.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Frigate to version 0.16.3 or later, where this vulnerability has been patched.
The patch restricts the DELETE /api/users/admin endpoint to authenticated admin users only by adding proper authorization checks.
Until the upgrade can be applied, restrict network access to the Frigate API to trusted users only and monitor for unauthorized DELETE requests to the /api/users/admin endpoint.