CVE-2026-33126 MEDIUM

CVE-2026-33126: Frigate has SSRF vulnerability in /ffprobe endpoint

Vendor Blakeblackshear
Product frigate
Weakness CWE-918 · SSRF
Published March 20, 2026
Last update March 25, 2026

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery (SSRF) attacks. An attacker can use the Frigate server to make HTTP requests to internal network resources, cloud metadata services, or perform port scanning. This issue has been patched in version 0.16.3.

Key dates

02Disclosure timeline

March 20, 2026 CVE published
March 25, 2026 Record updated