Compliance Impact

This vulnerability allows a low-privilege authenticated user to access snapshots from unauthorized cameras, resulting in a cross-camera confidentiality breach and an authorization bypass.

Such unauthorized access to potentially sensitive video data could lead to violations of data protection regulations like GDPR or HIPAA, which require strict controls on access to personal or sensitive information.

Specifically, the confidentiality impact is rated high, indicating that sensitive information could be exposed without proper authorization, which is a key compliance concern under these standards.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-33470 is an authorization vulnerability in the Frigate network video recorder software versions 0.17.0 to before 0.17.1. It allows a low-privilege authenticated user, who is normally restricted to accessing only one camera, to access snapshots from other unauthorized cameras.

This happens due to two main issues: first, the `/api/timeline` endpoint returns timeline entries for cameras outside the user's allowed set because it does not filter by allowed cameras. Second, the `/api/events/{event_id}/snapshot-clean.webp` endpoint declares a dependency on a camera access check but does not properly validate the camera associated with the event after loading it. This combination lets an attacker enumerate event IDs from unauthorized cameras and then retrieve clean snapshots for those events.

In summary, the vulnerability is an authorization bypass that leads to a confidentiality breach by exposing snapshots from cameras the user should not have access to.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthorized users with low privileges to view snapshots from cameras they are not permitted to access.

• Unauthorized enumeration of activity on cameras outside the user's permission.
• Retrieval of clean snapshots from unauthorized cameras.

This leads to a cross-camera confidentiality breach and an authorization bypass, potentially exposing sensitive visual information captured by other cameras.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to enumerate event IDs from cameras outside the authenticated user's allowed camera set and then trying to access snapshots for those events.

A proof of concept involves two steps:

• Step 1: As an authenticated user authorized only for a specific camera (e.g., "front"), request timeline entries for another camera (e.g., "garage") via the `/api/timeline` endpoint to obtain event IDs.
• Step 2: Use the obtained event IDs to fetch snapshots from `/api/events/{event_id}/snapshot-clean.webp` for unauthorized cameras.

Commands to test this might include HTTP requests such as:

• curl -u <user>:<password> "http://<frigate-server>/api/timeline?camera=garage"
• curl -u <user>:<password> "http://<frigate-server>/api/events/<event_id>/snapshot-clean.webp"

If these commands return timeline entries or snapshots for cameras the user is not authorized to access, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Frigate software to version 0.17.1 or later, where this vulnerability is fixed.

Additional recommended mitigations include:

• Ensure that the `/api/timeline` and `/api/timeline/hourly` endpoints apply per-camera filtering based on the authenticated user's allowed cameras.
• Verify that the `/api/events/{event_id}/snapshot-clean.webp` endpoint explicitly enforces camera access authorization by calling `require_camera_access` with the event's camera.
• Audit all routes using `Depends(require_camera_access)` without a `camera_name` parameter to ensure proper authorization checks.

Useful 0 Not Useful 0