Description

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, a low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible through a chain of two authorization problems: `/api/timeline` returns timeline entries for cameras outside the caller's allowed camera set, then `/api/events/{event_id}/snapshot-clean.webp` declares `Depends(require_camera_access)` but never actually validates `event.camera` after looking up the event. Together, this allows a restricted user to enumerate event IDs from unauthorized cameras and then fetch clean snapshots for those events. Version 0.17.1 fixes the issue.

INFO

Published Date :

2026-03-26T17:06:55.091Z

Last Modified :

2026-03-26T17:31:15.497Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33470 vulnerability.

Vendors Products
Blakeblackshear
  • Frigate
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33470.

URL Resource
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact