CVE-2026-33469

{"id": "CVE-2026-33469", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-26T17:16:41.157", "references": [{"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config`, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in `config.yml`. This appears to be a broken access control issue introduced by the admin-by-default API refactor: `/api/config/raw_paths` is admin-only, but `/api/config/raw` is still accessible to any authenticated user. Version 0.17.1 contains a patch."}, {"lang": "es", "value": "Frigate es un grabador de v\u00eddeo en red (NVR) con detecci\u00f3n de objetos local en tiempo real para c\u00e1maras IP. En la versi\u00f3n 0.17.0, un usuario autenticado no administrador puede recuperar la configuraci\u00f3n completa sin procesar de Frigate a trav\u00e9s de `/api/config/raw`. Esto expone valores sensibles que son intencionalmente redactados de `/api/config`, incluyendo credenciales de c\u00e1mara, credenciales de flujo de go2rtc, contrase\u00f1as MQTT, secretos de proxy y cualquier otro secreto almacenado en `config.yml`. Esto parece ser un problema de control de acceso roto introducido por la refactorizaci\u00f3n de la API de administrador por defecto: `/api/config/raw_paths` es solo para administradores, pero `/api/config/raw` sigue siendo accesible para cualquier usuario autenticado. La versi\u00f3n 0.17.1 contiene un parche."}], "lastModified": "2026-03-31T13:07:34.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:frigate:frigate:0.17.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB927AB9-39C9-4351-9838-750C739C0C59"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}