CVE-2026-54652
Deferred Deferred - Pending Action

Frigate Log Exposure Allows Credential Disclosure

Vulnerability report for CVE-2026-54652, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/{service} endpoint allows any authenticated user including the viewer role to download Frigate and nginx logs, exposing auto-generated admin passwords and camera credentials logged in request query strings and enabling viewer-to-admin privilege escalation. A fixed release has not been identified.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
blakeblackshear frigate to 0.17.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-598 The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-532 The product writes sensitive information to a log file.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54652 is a vulnerability in Frigate, an open source network video recorder, affecting version 0.17.1 and earlier. The issue arises because the GET /api/logs/{service} endpoint allows any authenticated user, including those with only viewer roles, to access Frigate and nginx logs. These logs contain sensitive information such as auto-generated admin passwords and camera credentials that were logged in request query strings.

Because of this, a user with viewer privileges can retrieve the admin password from the logs and escalate their privileges to admin, bypassing role restrictions. They can also extract camera credentials from nginx logs, enabling direct access to cameras via RTSP. The root causes include improper authorization checks on the log endpoints, logging sensitive data in plaintext, and insecure transmission of credentials via GET requests.

Impact Analysis

This vulnerability can have serious impacts on the confidentiality and integrity of your Frigate system. An attacker with viewer access can escalate their privileges to admin by obtaining the auto-generated admin password from logs, allowing them to fully control the system.

Additionally, the attacker can extract camera credentials from nginx logs, which enables unauthorized direct access to video streams. This compromises the privacy and security of your camera feeds.

The CVSS score of 8.1 (High) reflects that the attack is relatively easy to perform (low complexity, no user interaction required) and results in high confidentiality and integrity impacts.

Detection Guidance

This vulnerability can be detected by checking if authenticated users with viewer roles can access the /api/logs/frigate and /api/logs/nginx endpoints and retrieve sensitive information such as auto-generated admin passwords or camera credentials.

You can attempt to authenticate as a viewer and issue HTTP GET requests to these endpoints to see if logs containing sensitive credentials are accessible.

  • Use curl or similar tools to send authenticated requests to the endpoints, for example:
  • curl -H "Authorization: Bearer <viewer_token>" https://<frigate-server>/api/logs/frigate
  • curl -H "Authorization: Bearer <viewer_token>" https://<frigate-server>/api/logs/nginx

If these commands return logs containing admin passwords or camera credentials, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include restricting access to the /api/logs/{service} endpoints to admin users only, preventing viewer roles from accessing these logs.

Additionally, avoid logging sensitive credentials in plaintext or via query strings to reduce exposure.

Until a fixed release is available, consider applying access control rules at the network or proxy level to block viewer role access to these endpoints.

Monitor and audit log access to detect any unauthorized attempts to retrieve sensitive information.

Compliance Impact

This vulnerability allows authenticated users with viewer roles to access sensitive information such as auto-generated admin passwords and camera credentials. Exposure of such sensitive data can lead to unauthorized privilege escalation and unauthorized access to cameras.

The improper authorization checks and plaintext logging of sensitive credentials violate principles of data confidentiality and access control, which are critical requirements in standards like GDPR and HIPAA.

By exposing sensitive credentials and enabling privilege escalation, the vulnerability increases the risk of unauthorized data access and potential data breaches, which could result in non-compliance with regulations that mandate protection of personal and sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54652. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart