Description
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.
Published: 2026-02-06
Score: 9.1 Critical
EPSS: 2.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the go2rtc component of Frigate when parsing the video stream configuration file (config.yaml). A user who can edit this file may insert a command via the exec: directive, and the go2rtc service will run the supplied command without input validation. The flaw is categorized by multiple common weaknesses, including improper authorization, lack of input validation, and unsafe command execution, which together allow an attacker to execute arbitrary code and potentially escape the container environment.

Affected Systems

Frigate, a network video recorder produced by blakeblackshear, is vulnerable in all releases before version 0.16.4. The flaw is exploitable by anyone with administrative rights or by any user who accesses an internet‑exposed Frigate instance without authentication, giving them full control of the host system.

Risk and Exploitability

The CVSS score of 9.1 marks the issue as critical. The EPSS score of 3% indicates a non‑negligible likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely, either by authenticating as an administrator or by simply accessing an exposed Frigate installation over the public internet. Successful exploitation results in complete administrative control and the ability to escape the container, effectively compromising the entire host.

Generated by OpenCVE AI on June 18, 2026 at 13:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frigate to version 0.16.4 or later; this version removes the exec directive handling, mitigating OS command injection (CWE‑78) and the privilege escalation vulnerabilities (CWE‑250, CWE‑269).
  • Restrict access to the Frigate configuration files and the API by enforcing role‑based access control; this limits the ability of unauthorized users to edit config.yaml, addressing the lack of authorization (CWE‑668).
  • Sanitize or whitelist the exec: directive in config.yaml; if the directive must be used, enforce strict validation to prevent arbitrary command execution (CWE‑78).
  • Enable network isolation or firewall rules so that only authenticated administrators can reach the Frigate instance; this reduces exposure and mitigates the risk of remote exploitation.

Generated by OpenCVE AI on June 18, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Frigate
Frigate frigate
CPEs cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*
Vendors & Products Frigate
Frigate frigate

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Blakeblackshear
Blakeblackshear frigate
Vendors & Products Blakeblackshear
Blakeblackshear frigate

Fri, 06 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.
Title Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape
Weaknesses CWE-250
CWE-269
CWE-668
CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Blakeblackshear Frigate
Frigate Frigate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T20:24:33.963Z

Reserved: 2026-02-04T05:15:41.791Z

Link: CVE-2026-25643

cve-icon Vulnrichment

Updated: 2026-02-06T20:24:13.679Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T20:16:11.607

Modified: 2026-06-17T10:25:00.217

Link: CVE-2026-25643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:45:05Z

Weaknesses
  • CWE-250

    Execution with Unnecessary Privileges

  • CWE-269

    Improper Privilege Management

  • CWE-668

    Exposure of Resource to Wrong Sphere

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')