Cyber Resilience

CVE-2026-33125

HighPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0024 15.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33125 is a high-severity Improper Authorization (CWE-285) vulnerability in Frigate Frigate. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-33125 is an improper authorization vulnerability (CWE-285) affecting Frigate, an open-source network video recorder (NVR) with realtime local object detection for IP cameras. The issue exists in versions 0.16.2 and prior, where users assigned the viewer role are able to delete admin and low-privileged user accounts. This flaw has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H), indicating high severity due to its potential for significant availability impact with low integrity impact.

An attacker with a valid viewer role account can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By deleting admin or other low-privileged user accounts, the attacker can cause a denial of service (DoS) on the system and compromise data integrity, potentially disrupting access to the NVR and its recorded footage.

The Frigate project has addressed this issue in version 0.16.3, as detailed in the release notes and security advisory. Security practitioners should upgrade to 0.16.3 or later and review user permissions to ensure viewer roles lack elevated privileges. Relevant details are available in the GitHub release at https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3 and the advisory at https://github.com/blakeblackshear/frigate/security/advisories/GHSA-vg28-83rp-8xx4.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data…

more

integrity. This issue has been patched in version 0.16.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1531 Account Access Removal Impact
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Why these techniques?

Improper authorization in public-facing Frigate NVR web app directly enables remote exploitation (T1190) by low-priv viewer accounts to delete admin accounts, achieving account access removal and availability impact (T1531).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25643Same product: Frigate Frigate
CVE-2026-33124Same product: Frigate Frigate
CVE-2025-11521Shared CWE-285
CVE-2025-49701Shared CWE-285
CVE-2026-22022Shared CWE-285
CVE-2026-25809Shared CWE-285
CVE-2023-53895Shared CWE-285
CVE-2026-34320Shared CWE-285
CVE-2026-33186Shared CWE-285
CVE-2026-40246Shared CWE-285

Affected Assets

frigate
frigate
≤ 0.16.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations, directly preventing viewer role users from deleting admin or low-privileged accounts in Frigate.

prevent

AC-6 enforces least privilege, ensuring viewer roles lack the unnecessary capability to delete higher-privileged user accounts.

prevent

AC-2 manages account lifecycle processes, including restrictions on account deletion to authorized roles only, mitigating unauthorized removals.

References