{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33125", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.926Z", "datePublished": "2026-03-20T09:22:39.139Z", "dateUpdated": "2026-03-20T15:39:11.110Z"}, "containers": {"cna": {"title": "Frigate Broken Access Control: Users assigned the viewer role can delete admin and other low-privileged accounts", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-vg28-83rp-8xx4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-vg28-83rp-8xx4"}, {"name": "https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3"}], "affected": [{"vendor": "blakeblackshear", "product": "frigate", "versions": [{"version": "< 0.16.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:22:39.139Z"}, "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version 0.16.3."}], "source": {"advisory": "GHSA-vg28-83rp-8xx4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:38:59.459780Z", "id": "CVE-2026-33125", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:39:11.110Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33125", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T15:38:59.459780Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:39:06.734Z"}}], "cna": {"title": "Frigate Broken Access Control: Users assigned the viewer role can delete admin and other low-privileged accounts", "source": {"advisory": "GHSA-vg28-83rp-8xx4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "blakeblackshear", "product": "frigate", "versions": [{"status": "affected", "version": "< 0.16.3"}]}], "references": [{"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-vg28-83rp-8xx4", "name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-vg28-83rp-8xx4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3", "name": "https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version 0.16.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:22:39.139Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33125", "state": "PUBLISHED", "dateUpdated": "2026-03-20T15:39:11.110Z", "dateReserved": "2026-03-17T20:35:49.926Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T09:22:39.139Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*", "matchCriteriaId": "4B744C6E-3CD3-4E1B-86E8-4159D6364293", "versionEndExcluding": "0.16.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version 0.16.3."}, {"lang": "es", "value": "Frigate es un grabador de v\u00eddeo en red (NVR) con detecci\u00f3n de objetos local en tiempo real para c\u00e1maras IP. En las versiones 0.16.2 e inferiores, los usuarios con el rol de espectador pueden eliminar cuentas de administrador y de usuario con pocos privilegios. La explotaci\u00f3n puede conducir a DoS y afectar la integridad de los datos. Este problema ha sido parcheado en la versi\u00f3n 0.16.3."}], "id": "CVE-2026-33125", "lastModified": "2026-03-20T20:01:42.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T10:16:19.013", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-vg28-83rp-8xx4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.16.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "frigate", "source": "cna", "vendor": "blakeblackshear"}, "product": "frigate", "vendor": "blakeblackshear"}], "analysis": {"en": {"generated_at": "2026-03-20T21:25:47.110924+00:00", "value": {"mitigation_remediation": ["Upgrade Frigate to version 0.16.3 or later to apply the fix for broken access control.", "If an upgrade cannot be performed immediately, revoke or delete any viewer\u2011role accounts that may be able to delete critical accounts until the patch is applied.", "After applying the patch or revoking accounts, verify that administrator and low\u2011privileged accounts can no longer be removed by users with viewer privileges and monitor logs for unauthorized deletion attempts."], "summary": {"action": "Apply Patch", "impact": "Account Deletion / Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is Frigate, a network video recorder developed by blakeblackshear. All releases up to and including 0.16.2 are susceptible; users of 0.16.3 and newer are safe.", "description_and_impact": "A flaw in Frigate versions 0.16.2 and earlier allows any user with the viewer role to delete administrator and other low\u2011privileged accounts, which removes critical users and can lead to loss of data integrity and a denial of service for legitimate users. This is a classic broken access control vulnerability classified as CWE\u2011285.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.1 and an EPSS rating below 1\u202f%, indicating current exploitation is unlikely but possible. It is not listed in CISA\u2019s KEV catalog. Exploitation requires an authenticated viewer account, so the attack vector is an authenticated, non\u2011privileged user modifying system state, as inferred from the description."}}}}, "created": "2026-03-20T11:05:22.312749+00:00", "updated": "2026-03-25T14:29:41.402606+00:00", "vendors": ["blakeblackshear", "blakeblackshear$PRODUCT$frigate"]}