Description
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery (SSRF) attacks. An attacker can use the Frigate server to make HTTP requests to internal network resources, cloud metadata services, or perform port scanning. This issue has been patched in version 0.16.3.
Published: 2026-03-20
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

An attacker who can send a crafted HTTP request to the Frigate server’s /ffprobe endpoint can cause the server to fetch any arbitrary URL. The request is made without URL validation, allowing the attacker to force the server to contact internal network hosts, cloud instance metadata services, or perform port scans. This vulnerability (CWE‑918) can lead to information disclosure and potential escalation to other internal resources, but it does not directly provide code execution. The primary impact is the compromise of confidentiality and availability of internal resources accessed by the server.

Affected Systems

The vulnerability affects the Frigate network video recorder (NVR) developed by blakeblackshear. All releases prior to version 0.16.3 are vulnerable. Versions 0.16.3 and later contain a patch that validates URLs before processing.

Risk and Exploitability

The CVSS base score of 5.0 indicates a moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Attackers need to be able to reach the Frigate server to send the /ffprobe request; this typically means a local network attacker or a publicly exposed Frigate instance. While the vulnerability does not grant arbitrary code execution, the ability to reach internal services can be leveraged for lateral movement or data exfiltration if other controls are weak.

Generated by OpenCVE AI on March 23, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Frigate to version 0.16.3 or later to apply the official patch.
  • Restrict external access to the /ffprobe endpoint or disable it if not required.
  • Place the Frigate server behind a firewall or only expose it to trusted networks.
  • Monitor service logs for unexpected /ffprobe calls or outbound HTTP requests to unusual hosts.
  • Consider network segmentation to limit the impact if an internal resource is accessed.

Generated by OpenCVE AI on March 23, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Frigate
Frigate frigate
CPEs cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*
Vendors & Products Frigate
Frigate frigate

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Blakeblackshear
Blakeblackshear frigate
Vendors & Products Blakeblackshear
Blakeblackshear frigate

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery (SSRF) attacks. An attacker can use the Frigate server to make HTTP requests to internal network resources, cloud metadata services, or perform port scanning. This issue has been patched in version 0.16.3.
Title Frigate has SSRF vulnerability in /ffprobe endpoint
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Blakeblackshear Frigate
Frigate Frigate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:57:25.515Z

Reserved: 2026-03-17T20:35:49.926Z

Link: CVE-2026-33126

cve-icon Vulnrichment

Updated: 2026-03-25T13:57:22.339Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T20:16:48.597

Modified: 2026-03-23T19:17:05.200

Link: CVE-2026-33126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:50Z

Weaknesses