Description
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/{username}/password endpoint. Changing a password does not invalidate existing JWT tokens, and there is no validation of password strength. If an attacker obtains a valid session token (e.g., via accidentally exposed JWT, stolen cookie, XSS, compromised device, or sniffing over HTTP), they can change the victim’s password and gain permanent control of the account. Since password changes do not invalidate existing JWT tokens, session hijacks persist even after a password reset. Additionally, the lack of password strength validation exposes accounts to brute-force attacks. This issue has been resolved in version 0.17.0-beta1.
Published: 2026-03-20
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover
Action: Immediate patch
AI Analysis

Impact

The vulnerability allows an authenticated user to change their own password without confirming the current password through the /users/{username}/password endpoint. The change does not invalidate existing JSON Web Tokens (JWTs) and there is no enforcement of password strength. Consequently, an attacker who gains access to a valid session token—through exposed JWTs, stolen cookies, cross‑site scripting, device compromise, or network sniffing—can change the victim’s password, lock out the original owner, and maintain permanent control over the account. This is a classic authentication bypass flaw identified as CWE‑287.

Affected Systems

Frigate, the open‑source network video recorder produced by blakeblackshear, is affected in all releases prior to 0.17.0-beta1. Users on those versions are vulnerable; upgrading to 0.17.0-beta1 or later resolves the issue.

Risk and Exploitability

The vulnerability has a CVSS score of 8.6, indicating high severity. The EPSS probability is under 1%, suggesting that exploitation is uncommon, and the flaw is not listed in the CISA KEV catalog. An attacker requires a valid authenticated session; once obtained, they can exploit the unauthorized password change and the continued validity of the JWT to hijack the account permanently. The lack of password strength validation also facilitates brute‑force attempts to compromise legitimate user credentials.

Generated by OpenCVE AI on March 23, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frigate to version 0.17.0-beta1 or newer.

Generated by OpenCVE AI on March 23, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Frigate
Frigate frigate
CPEs cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*
Vendors & Products Frigate
Frigate frigate
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Blakeblackshear
Blakeblackshear frigate
Vendors & Products Blakeblackshear
Blakeblackshear frigate

Fri, 20 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Description Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/{username}/password endpoint. Changing a password does not invalidate existing JWT tokens, and there is no validation of password strength. If an attacker obtains a valid session token (e.g., via accidentally exposed JWT, stolen cookie, XSS, compromised device, or sniffing over HTTP), they can change the victim’s password and gain permanent control of the account. Since password changes do not invalidate existing JWT tokens, session hijacks persist even after a password reset. Additionally, the lack of password strength validation exposes accounts to brute-force attacks. This issue has been resolved in version 0.17.0-beta1.
Title Frigate has insecure password change functionality
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Blakeblackshear Frigate
Frigate Frigate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T13:47:08.894Z

Reserved: 2026-03-17T20:35:49.926Z

Link: CVE-2026-33124

cve-icon Vulnrichment

Updated: 2026-03-20T13:47:05.460Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T10:16:18.870

Modified: 2026-03-23T15:50:07.553

Link: CVE-2026-33124

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:42Z

Weaknesses