Auth bypass in Blakeblackshear Frigate

CVE-2026-33124

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /use…

Vulnerability class: Broken Authentication

EPSS: 0.001 (19.4th percentile) — read the EPSS interpretation.

Affected products

Blakeblackshear Frigate — versions < 0.17.0-beta1

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

https://github.com/blakeblackshear/frigate/security/advisories/GHSA-24p8-r573-vwr2 (x_refsource_CONFIRM)
https://github.com/blakeblackshear/frigate/commit/152e58520614610988bff3b6ff55d0aefd89c1b2 (x_refsource_MISC)