CVE-2026-33125 HIGH

CVE-2026-33125: Frigate Broken Access Control: Users assigned the viewer role can delete admin and other low-privileged accounts

Vendor Blakeblackshear
Product frigate
Weakness CWE-285
Published March 20, 2026
Last update March 20, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version 0.16.3.

Key dates

02Disclosure timeline

March 20, 2026 CVE published
March 20, 2026 Record updated