CVE-2026-33124
Published: 20 March 2026
Summary
CVE-2026-33124 is a high-severity Improper Authentication (CWE-287) vulnerability in Frigate Frigate. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and IA-11 (Re-authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires re-authentication for privileged actions like password changes, preventing attackers with stolen session tokens from altering passwords without knowing the current one.
Enforces secure authenticator management including password strength requirements and procedures for changing or revoking authenticators, mitigating weak passwords and unauthorized changes.
Mandates automatic session termination upon organization-defined conditions such as password changes, invalidating stolen JWT tokens and preventing persistent account takeover.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly exposes a password-change endpoint (T1190) lacking current-password verification and token invalidation, enabling account takeover via password modification (T1098) and continued use of hijacked local accounts/sessions (T1078.003); missing strength validation also facilitates brute-force (T1110).
NVD Description
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/{username}/password endpoint. Changing a password…
more
does not invalidate existing JWT tokens, and there is no validation of password strength. If an attacker obtains a valid session token (e.g., via accidentally exposed JWT, stolen cookie, XSS, compromised device, or sniffing over HTTP), they can change the victim’s password and gain permanent control of the account. Since password changes do not invalidate existing JWT tokens, session hijacks persist even after a password reset. Additionally, the lack of password strength validation exposes accounts to brute-force attacks. This issue has been resolved in version 0.17.0-beta1.
Deeper analysisAI
CVE-2026-33124 is an improper authentication vulnerability (CWE-287) in Frigate, an open-source network video recorder (NVR) with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password via the /users/{username}/password endpoint. Password changes do not invalidate existing JWT tokens, and the software lacks validation for password strength. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with a valid session token—obtained via methods such as accidentally exposed JWTs, stolen cookies, XSS, compromised devices, or sniffing over HTTP—can exploit this to change the victim's password and achieve permanent account takeover. Because password changes fail to invalidate JWT tokens, the attacker's hijacked sessions persist even after the victim resets their password. The lack of password strength validation further enables brute-force attacks against accounts.
The vulnerability is resolved in Frigate version 0.17.0-beta1. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory at https://github.com/blakeblackshear/frigate/security/advisories/GHSA-24p8-r573-vwr2 and the fixing commit at https://github.com/blakeblackshear/frigate/commit/152e58520614610988bff3b6ff55d0aefd89c1b2.
Details
- CWE(s)