Description
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, a low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible through a chain of two authorization problems: `/api/timeline` returns timeline entries for cameras outside the caller's allowed camera set, then `/api/events/{event_id}/snapshot-clean.webp` declares `Depends(require_camera_access)` but never actually validates `event.camera` after looking up the event. Together, this allows a restricted user to enumerate event IDs from unauthorized cameras and then fetch clean snapshots for those events. Version 0.17.1 fixes the issue.
Published: 2026-03-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized snapshot disclosure across cameras
Action: Patch Immediately
AI Analysis

Impact

Frigate, a network video recorder, allows a low‑privilege authenticated user to view snapshots from cameras they are not authorized to access. Two authorization lapses enable this: the timeline API returns entries for all cameras, and the snapshot endpoint does not validate that the requested event belongs to the caller’s camera set. As a result, an attacker can enumerate event IDs from unauthorized cameras and fetch clean snapshot images.

Affected Systems

The vulnerability exists in Frigate version 0.17.0 released by blakeblackshear. Version 0.17.1 or later resolves the issue. Only installations running 0.17.0 are affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating moderate risk, and an EPSS score below 1%, suggesting low likelihood of widespread exploitation. It is not listed in the CISA KEV catalog. An attacker must first authenticate with a standard user account but can then exploit the exposed endpoints to retrieve sensitive camera media. While the attack does not grant code execution or system compromise, it allows unauthorized viewing of recorded footage, which may contain confidential or sensitive information.

Generated by OpenCVE AI on March 31, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Frigate 0.17.1 or later
  • Verify that API access is limited to authorized camera sets
  • Review and audit user permissions to ensure low‑privilege accounts cannot enumerate other cameras
  • Monitor API usage logs for suspicious timeline or snapshot requests

Generated by OpenCVE AI on March 31, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Frigate
Frigate frigate
CPEs cpe:2.3:a:frigate:frigate:0.17.0:*:*:*:*:*:*:*
Vendors & Products Frigate
Frigate frigate

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Blakeblackshear
Blakeblackshear frigate
Vendors & Products Blakeblackshear
Blakeblackshear frigate

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, a low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible through a chain of two authorization problems: `/api/timeline` returns timeline entries for cameras outside the caller's allowed camera set, then `/api/events/{event_id}/snapshot-clean.webp` declares `Depends(require_camera_access)` but never actually validates `event.camera` after looking up the event. Together, this allows a restricted user to enumerate event IDs from unauthorized cameras and then fetch clean snapshots for those events. Version 0.17.1 fixes the issue.
Title Frigate has cross-camera snapshot disclosure via unrestricted timeline IDs and missing authorization in /api/events/{event_id}/snapshot-clean.webp
Weaknesses CWE-862
CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Blakeblackshear Frigate
Frigate Frigate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T17:31:15.497Z

Reserved: 2026-03-20T16:16:48.969Z

Link: CVE-2026-33470

cve-icon Vulnrichment

Updated: 2026-03-26T17:30:58.356Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T17:16:41.320

Modified: 2026-03-31T12:58:02.200

Link: CVE-2026-33470

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:08:43Z

Weaknesses