{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33470", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.969Z", "datePublished": "2026-03-26T17:06:55.091Z", "dateUpdated": "2026-03-26T17:31:15.497Z"}, "containers": {"cna": {"title": "Frigate has cross-camera snapshot disclosure via unrestricted timeline IDs and missing authorization in /api/events/{event_id}/snapshot-clean.webp", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g"}], "affected": [{"vendor": "blakeblackshear", "product": "frigate", "versions": [{"version": "= 0.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:06:55.091Z"}, "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, a low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible through a chain of two authorization problems: `/api/timeline` returns timeline entries for cameras outside the caller's allowed camera set, then `/api/events/{event_id}/snapshot-clean.webp` declares `Depends(require_camera_access)` but never actually validates `event.camera` after looking up the event. Together, this allows a restricted user to enumerate event IDs from unauthorized cameras and then fetch clean snapshots for those events. Version 0.17.1 fixes the issue."}], "source": {"advisory": "GHSA-m2mg-pj9p-2r7g", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T17:31:11.772396Z", "id": "CVE-2026-33470", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:31:15.497Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33470", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:31:11.772396Z"}}}], "references": [{"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:30:58.356Z"}}], "cna": {"title": "Frigate has cross-camera snapshot disclosure via unrestricted timeline IDs and missing authorization in /api/events/{event_id}/snapshot-clean.webp", "source": {"advisory": "GHSA-m2mg-pj9p-2r7g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "blakeblackshear", "product": "frigate", "versions": [{"status": "affected", "version": "= 0.17.0"}]}], "references": [{"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g", "name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, a low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible through a chain of two authorization problems: `/api/timeline` returns timeline entries for cameras outside the caller's allowed camera set, then `/api/events/{event_id}/snapshot-clean.webp` declares `Depends(require_camera_access)` but never actually validates `event.camera` after looking up the event. Together, this allows a restricted user to enumerate event IDs from unauthorized cameras and then fetch clean snapshots for those events. Version 0.17.1 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:06:55.091Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33470", "state": "PUBLISHED", "dateUpdated": "2026-03-26T17:31:15.497Z", "dateReserved": "2026-03-20T16:16:48.969Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T17:06:55.091Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:frigate:frigate:0.17.0:*:*:*:*:*:*:*", "matchCriteriaId": "FB927AB9-39C9-4351-9838-750C739C0C59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, a low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible through a chain of two authorization problems: `/api/timeline` returns timeline entries for cameras outside the caller's allowed camera set, then `/api/events/{event_id}/snapshot-clean.webp` declares `Depends(require_camera_access)` but never actually validates `event.camera` after looking up the event. Together, this allows a restricted user to enumerate event IDs from unauthorized cameras and then fetch clean snapshots for those events. Version 0.17.1 fixes the issue."}, {"lang": "es", "value": "Frigate es un grabador de v\u00eddeo en red (NVR) con detecci\u00f3n local de objetos en tiempo real para c\u00e1maras IP. En la versi\u00f3n 0.17.0, un usuario autenticado con bajos privilegios restringido a una c\u00e1mara puede acceder a instant\u00e1neas de otras c\u00e1maras. Esto es posible a trav\u00e9s de una cadena de dos problemas de autorizaci\u00f3n: `/api/timeline` devuelve entradas de la l\u00ednea de tiempo para c\u00e1maras fuera del conjunto de c\u00e1maras permitidas del llamador, luego `/api/events/{event_id}/snapshot-clean.webp` declara `Depends(require_camera_access)` pero nunca valida realmente `event.camera` despu\u00e9s de buscar el evento. Juntos, esto permite a un usuario restringido enumerar IDs de eventos de c\u00e1maras no autorizadas y luego obtener instant\u00e1neas limpias para esos eventos. La versi\u00f3n 0.17.1 corrige el problema."}], "id": "CVE-2026-33470", "lastModified": "2026-03-31T12:58:02.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T17:16:41.320", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.17.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "frigate", "source": "cna", "vendor": "blakeblackshear"}, "product": "frigate", "vendor": "blakeblackshear"}], "analysis": {"en": {"generated_at": "2026-03-31T14:36:34.775055+00:00", "value": {"mitigation_remediation": ["Upgrade to Frigate 0.17.1 or later", "Verify that API access is limited to authorized camera sets", "Review and audit user permissions to ensure low\u2011privilege accounts cannot enumerate other cameras", "Monitor API usage logs for suspicious timeline or snapshot requests"], "summary": {"action": "Patch Immediately", "impact": "Unauthorized snapshot disclosure across cameras"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in Frigate version 0.17.0 released by blakeblackshear. Version 0.17.1 or later resolves the issue. Only installations running 0.17.0 are affected.", "description_and_impact": "Frigate, a network video recorder, allows a low\u2011privilege authenticated user to view snapshots from cameras they are not authorized to access. Two authorization lapses enable this: the timeline API returns entries for all cameras, and the snapshot endpoint does not validate that the requested event belongs to the caller\u2019s camera set. As a result, an attacker can enumerate event IDs from unauthorized cameras and fetch clean snapshot images.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.5, indicating moderate risk, and an EPSS score below 1%, suggesting low likelihood of widespread exploitation. It is not listed in the CISA KEV catalog. An attacker must first authenticate with a standard user account but can then exploit the exposed endpoints to retrieve sensitive camera media. While the attack does not grant code execution or system compromise, it allows unauthorized viewing of recorded footage, which may contain confidential or sensitive information."}}}}, "created": "2026-03-27T08:33:35.784220+00:00", "updated": "2026-03-31T20:08:43.588734+00:00", "vendors": ["blakeblackshear", "blakeblackshear$PRODUCT$frigate"]}