{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33469", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.969Z", "datePublished": "2026-03-26T17:05:29.583Z", "dateUpdated": "2026-03-26T18:23:56.714Z"}, "containers": {"cna": {"title": "Authenticated Frigate users can read the full unredacted configuration via `/api/config/raw", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh"}], "affected": [{"vendor": "blakeblackshear", "product": "frigate", "versions": [{"version": "= 0.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:05:29.583Z"}, "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config`, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in `config.yml`. This appears to be a broken access control issue introduced by the admin-by-default API refactor: `/api/config/raw_paths` is admin-only, but `/api/config/raw` is still accessible to any authenticated user. Version 0.17.1 contains a patch."}], "source": {"advisory": "GHSA-26g3-f8g8-9ffh", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T17:47:08.689045Z", "id": "CVE-2026-33469", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:23:56.714Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33469", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:47:08.689045Z"}}}], "references": [{"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:47:18.695Z"}}], "cna": {"title": "Authenticated Frigate users can read the full unredacted configuration via `/api/config/raw", "source": {"advisory": "GHSA-26g3-f8g8-9ffh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "blakeblackshear", "product": "frigate", "versions": [{"status": "affected", "version": "= 0.17.0"}]}], "references": [{"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config`, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in `config.yml`. This appears to be a broken access control issue introduced by the admin-by-default API refactor: `/api/config/raw_paths` is admin-only, but `/api/config/raw` is still accessible to any authenticated user. Version 0.17.1 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:05:29.583Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33469", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:23:56.714Z", "dateReserved": "2026-03-20T16:16:48.969Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T17:05:29.583Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frigate:frigate:0.17.0:*:*:*:*:*:*:*", "matchCriteriaId": "FB927AB9-39C9-4351-9838-750C739C0C59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config`, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in `config.yml`. This appears to be a broken access control issue introduced by the admin-by-default API refactor: `/api/config/raw_paths` is admin-only, but `/api/config/raw` is still accessible to any authenticated user. Version 0.17.1 contains a patch."}, {"lang": "es", "value": "Frigate es un grabador de v\u00eddeo en red (NVR) con detecci\u00f3n de objetos local en tiempo real para c\u00e1maras IP. En la versi\u00f3n 0.17.0, un usuario autenticado no administrador puede recuperar la configuraci\u00f3n completa sin procesar de Frigate a trav\u00e9s de `/api/config/raw`. Esto expone valores sensibles que son intencionalmente redactados de `/api/config`, incluyendo credenciales de c\u00e1mara, credenciales de flujo de go2rtc, contrase\u00f1as MQTT, secretos de proxy y cualquier otro secreto almacenado en `config.yml`. Esto parece ser un problema de control de acceso roto introducido por la refactorizaci\u00f3n de la API de administrador por defecto: `/api/config/raw_paths` es solo para administradores, pero `/api/config/raw` sigue siendo accesible para cualquier usuario autenticado. La versi\u00f3n 0.17.1 contiene un parche."}], "id": "CVE-2026-33469", "lastModified": "2026-03-31T13:07:34.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T17:16:41.157", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.17.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "frigate", "source": "cna", "vendor": "blakeblackshear"}, "product": "frigate", "vendor": "blakeblackshear"}], "analysis": {"en": {"generated_at": "2026-03-31T14:36:58.264356+00:00", "value": {"mitigation_remediation": ["Apply the 0.17.1 patch or upgrade to a newer Frigate release in which /api/config/raw is restricted to administrators.", "If an immediate upgrade is not feasible, restrict access to the /api/config/raw endpoint so only admin users can call it, for example by adjusting API permissions or applying firewall rules.", "Verify that requests to /api/config/raw now return redacted values and that no secret data is exposed.", "Monitor authentication logs for unusual access to the configuration endpoint.", "Review user roles and minimize the number of authenticated non\u2011admin accounts."], "summary": {"action": "Patch Immediately", "impact": "Sensitive configuration disclosure"}, "threat_synthesis": {"affected_systems": "Frigate, a network video recorder by Blake Blackshear, is affected in version 0.17.0. Version 0.17.1 includes a patch that restricts the raw configuration endpoint to administrators only; no other versions are listed as impacted.", "description_and_impact": "The vulnerability allows an authenticated user who is not an administrator to retrieve the entire raw configuration file at /api/config/raw, bypassing the intended restriction that only admin users may view sensitive configuration data. This exposes camera, stream, MQTT, proxy secrets, and any other credentials stored in config.yml, constituting a breach of confidentiality as a broken access control flaw (CWE\u2011863).", "risk_and_exploitability": "With a CVSS score of 6.5, the vulnerability is medium severity and the EPSS score of less than 1% indicates low exploitation probability. It is not listed in CISA\u2019s KEV catalog. Exploitation requires legitimate authentication to the API; a non\u2011admin user can simply request /api/config/raw and receive the unredacted file, potentially enabling credential compromise and downstream attacks on connected devices."}}}}, "created": "2026-03-27T08:33:36.639700+00:00", "updated": "2026-03-31T20:08:44.515182+00:00", "vendors": ["blakeblackshear", "blakeblackshear$PRODUCT$frigate"]}