Description
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.
Published: 2026-02-06
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution with Container Escape
Action: Patch Now
AI Analysis

Impact

The vulnerability originates in the go2rtc integration of Frigate, allowing a user who can edit the video stream configuration file (config.yaml) to insert a system command via the exec: directive. The injected command is executed by the go2rtc service with no input sanitization, giving the attacker complete control over the host system. This flaw corresponds to several common weaknesses, including improper authorization (CWE-250, CWE-269), lack of input validation (CWE-668), and unsafe command execution (CWE-78).

Affected Systems

The affected product is Frigate, developed by blakeblackshear. All installations running a version prior to 0.16.4 are vulnerable. Users who expose Frigate to the internet without authentication or who have administrative privileges can exploit this flaw.

Risk and Exploitability

With a CVSS score of 9.1, the severity is critical. The EPSS score is below 1%, indicating a very low probability of public exploitation as of the data available, and it is not yet listed in the CISA Known Exploited Vulnerabilities catalog. Nonetheless, the vulnerability can be triggered through remote manipulation of the config.yaml file, and because the attack requires either administrative credentials or an open internet-facing Frigate instance, the likely attack vector is remote authenticated or unauthenticated access, respectively. Successful exploitation would grant complete control of the host and the ability to escape the container environment.

Generated by OpenCVE AI on April 18, 2026 at 13:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frigate to version 0.16.4 or later to remove the unsanitized exec: directive handling.
  • Ensure Frigate is not exposed to the internet without proper authentication; use firewall rules or VPN to restrict external access.
  • Remove any manually added exec: entries from config.yaml and validate configuration files against a whitelist of allowed directives.

Generated by OpenCVE AI on April 18, 2026 at 13:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Frigate
Frigate frigate
CPEs cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*
Vendors & Products Frigate
Frigate frigate

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Blakeblackshear
Blakeblackshear frigate
Vendors & Products Blakeblackshear
Blakeblackshear frigate

Fri, 06 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.
Title Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape
Weaknesses CWE-250
CWE-269
CWE-668
CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Blakeblackshear Frigate
Frigate Frigate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T20:24:33.963Z

Reserved: 2026-02-04T05:15:41.791Z

Link: CVE-2026-25643

cve-icon Vulnrichment

Updated: 2026-02-06T20:24:13.679Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T20:16:11.607

Modified: 2026-02-11T19:00:39.877

Link: CVE-2026-25643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses