{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33469", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.969Z", "datePublished": "2026-03-26T17:05:29.583Z", "dateUpdated": "2026-03-26T18:23:56.714Z"}, "containers": {"cna": {"title": "Authenticated Frigate users can read the full unredacted configuration via `/api/config/raw", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh"}], "affected": [{"vendor": "blakeblackshear", "product": "frigate", "versions": [{"version": "= 0.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:05:29.583Z"}, "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config`, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in `config.yml`. This appears to be a broken access control issue introduced by the admin-by-default API refactor: `/api/config/raw_paths` is admin-only, but `/api/config/raw` is still accessible to any authenticated user. Version 0.17.1 contains a patch."}], "source": {"advisory": "GHSA-26g3-f8g8-9ffh", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T17:47:08.689045Z", "id": "CVE-2026-33469", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:23:56.714Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33469", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:47:08.689045Z"}}}], "references": [{"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:47:18.695Z"}}], "cna": {"title": "Authenticated Frigate users can read the full unredacted configuration via `/api/config/raw", "source": {"advisory": "GHSA-26g3-f8g8-9ffh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "blakeblackshear", "product": "frigate", "versions": [{"status": "affected", "version": "= 0.17.0"}]}], "references": [{"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config`, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in `config.yml`. This appears to be a broken access control issue introduced by the admin-by-default API refactor: `/api/config/raw_paths` is admin-only, but `/api/config/raw` is still accessible to any authenticated user. Version 0.17.1 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T17:05:29.583Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33469", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:23:56.714Z", "dateReserved": "2026-03-20T16:16:48.969Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T17:05:29.583Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config`, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in `config.yml`. This appears to be a broken access control issue introduced by the admin-by-default API refactor: `/api/config/raw_paths` is admin-only, but `/api/config/raw` is still accessible to any authenticated user. Version 0.17.1 contains a patch."}], "id": "CVE-2026-33469", "lastModified": "2026-03-26T19:17:03.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T17:16:41.157", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.17.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "frigate", "source": "cna", "vendor": "blakeblackshear"}, "product": "frigate", "vendor": "blakeblackshear"}], "analysis": {"en": {"generated_at": "2026-03-26T19:50:58.094015+00:00", "value": {"mitigation_remediation": ["Upgrade to Frigate 0.17.1 or later to apply the official patch.", "If an upgrade cannot be performed immediately, block access to the \\/api\\/config\\/raw endpoint for non\u2011admin users, or restrict the API to trusted IP ranges using firewall or reverse\u2011proxy rules.", "After applying mitigation, confirm that the \\/api\\/config\\/raw endpoint no longer returns the raw configuration for standard users.", "Review the config.yml file, rotate any credentials that may have been exposed, and verify that secrets are adequately protected."], "summary": {"action": "Patch", "impact": "Unauthorized Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "Blake Blackshear Frigate versions prior to 0.17.1 are affected, as 0.17.1 contains a patch that restricts the raw configuration endpoint to administrators only. Any deployed instance running 0.17.0 or earlier with authenticated non\u2011admin accounts is at risk.", "description_and_impact": "An authenticated non\u2011admin user can retrieve the complete raw configuration of Frigate through the \\/api\\/config\\/raw endpoint. This raw configuration includes camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in config.yml that are normally redacted from the standard \\/api\\/config endpoint. Exposing these secrets compromises the confidentiality of the entire surveillance environment, potentially allowing attackers to access cameras, disrupt services, or pivot to other connected systems. The underlying weakness is a broken access control flaw (CWE\u2011863).", "risk_and_exploitability": "The CVSS v3.1 score is 6.5, indicating medium severity. No EPSS score is available and the vulnerability is not listed in CISA's KEV catalog. Because the endpoint is reachable by any authenticated user, exploitation requires valid credentials but not elevated privileges. The data exposed has a high impact on confidentiality, yet the overall risk is moderate due to the authentication requirement and lack of evidence that this issue has been widely exploited. Nonetheless, compromised credentials could enable significant downstream attacks against cameras, MQTT brokers, and related services."}}}}, "created": "2026-03-27T08:33:36.639700+00:00", "updated": "2026-03-27T09:26:01.565190+00:00", "vendors": ["blakeblackshear", "blakeblackshear$PRODUCT$frigate"]}