Description
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version 0.16.3.
Published: 2026-03-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Account Deletion / Denial of Service
Action: Apply Patch
AI Analysis

Impact

A flaw in Frigate versions 0.16.2 and earlier allows any user with the viewer role to delete administrator and other low‑privileged accounts, which removes critical users and can lead to loss of data integrity and a denial of service for legitimate users. This is a classic broken access control vulnerability classified as CWE‑285.

Affected Systems

The affected product is Frigate, a network video recorder developed by blakeblackshear. All releases up to and including 0.16.2 are susceptible; users of 0.16.3 and newer are safe.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1 and an EPSS rating below 1 %, indicating current exploitation is unlikely but possible. It is not listed in CISA’s KEV catalog. Exploitation requires an authenticated viewer account, so the attack vector is an authenticated, non‑privileged user modifying system state, as inferred from the description.

Generated by OpenCVE AI on March 20, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Frigate to version 0.16.3 or later to apply the fix for broken access control.
  • If an upgrade cannot be performed immediately, revoke or delete any viewer‑role accounts that may be able to delete critical accounts until the patch is applied.
  • After applying the patch or revoking accounts, verify that administrator and low‑privileged accounts can no longer be removed by users with viewer privileges and monitor logs for unauthorized deletion attempts.

Generated by OpenCVE AI on March 20, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vg28-83rp-8xx4 Frigte has broken access control viewer user can delete admin and other users account
History

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Frigate
Frigate frigate
CPEs cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*
Vendors & Products Frigate
Frigate frigate

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Blakeblackshear
Blakeblackshear frigate
Vendors & Products Blakeblackshear
Blakeblackshear frigate

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version 0.16.3.
Title Frigate Broken Access Control: Users assigned the viewer role can delete admin and other low-privileged accounts
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Blakeblackshear Frigate
Frigate Frigate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T15:39:11.110Z

Reserved: 2026-03-17T20:35:49.926Z

Link: CVE-2026-33125

cve-icon Vulnrichment

Updated: 2026-03-20T15:39:06.734Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T10:16:19.013

Modified: 2026-03-20T20:01:42.793

Link: CVE-2026-33125

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:41Z

Weaknesses