Mitigation Strategies

The immediate mitigation is to upgrade Frigate to version 0.17.1 or later, which contains a patch restricting access to `/api/config/raw` to admin users only.

The patch replaces the permission dependency from allowing any authenticated user to requiring admin role, and removes the endpoint from exemption lists.

Until the upgrade can be applied, restrict access to the `/api/config/raw` endpoint by network controls or API gateway rules to prevent non-admin users from accessing it.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33469 is an authorization vulnerability in the Frigate network video recorder software versions 0.17.0 to before 0.17.1. It allows any authenticated user who is not an admin to access the full unredacted configuration file through the API endpoint `/api/config/raw`.

This configuration file contains sensitive information such as camera credentials, stream credentials, MQTT passwords, proxy secrets, and other secrets stored in the configuration file `config.yml`. Normally, these sensitive values are redacted in the standard configuration API endpoint `/api/config`.

The root cause is a broken access control introduced during an admin-by-default API refactor, where `/api/config/raw_paths` is correctly restricted to admin users, but `/api/config/raw` remains accessible to any authenticated user due to improper permission settings.

This flaw allows low-privilege authenticated users to bypass frontend restrictions and retrieve sensitive configuration data directly via API calls.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to significant confidentiality loss by exposing sensitive configuration data to any authenticated user, including camera credentials, stream credentials, MQTT passwords, and proxy secrets.

Attackers with low-privilege authenticated access can extract these secrets and potentially use them to compromise connected cameras, streams, MQTT services, proxy authentication, and other integrated systems.

The impact is a direct risk to the confidentiality of the system and can enable further attacks or unauthorized access to the infrastructure connected to Frigate.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable API endpoint `/api/config/raw` as an authenticated non-admin user. If the full raw configuration, including sensitive credentials, is returned, the system is vulnerable.

A proof of concept involves authenticating as a non-admin user and sending a GET request to `/api/config/raw` with a valid bearer token.

• Use a command like: curl -H "Authorization: Bearer <token>" https://<frigate-server>/api/config/raw
• If the response contains unredacted sensitive configuration data (camera credentials, MQTT passwords, proxy secrets), the vulnerability is present.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability leads to unauthorized disclosure of sensitive configuration data, including camera credentials, stream credentials, passwords, and proxy secrets, to any authenticated non-admin user.

Such a confidentiality breach can impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive information and mandate protection of personal and sensitive data.

By exposing secrets that could be used to compromise connected systems and data, this vulnerability increases the risk of unauthorized access and data breaches, potentially violating regulatory requirements for confidentiality and security.

Useful 0 Not Useful 0