CVE-2026-33125
Published: 20 March 2026
Summary
CVE-2026-33125 is a high-severity Improper Authorization (CWE-285) vulnerability in Frigate Frigate. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations, directly preventing viewer role users from deleting admin or low-privileged accounts in Frigate.
AC-6 enforces least privilege, ensuring viewer roles lack the unnecessary capability to delete higher-privileged user accounts.
AC-2 manages account lifecycle processes, including restrictions on account deletion to authorized roles only, mitigating unauthorized removals.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization in public-facing Frigate NVR web app directly enables remote exploitation (T1190) by low-priv viewer accounts to delete admin accounts, achieving account access removal and availability impact (T1531).
NVD Description
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data…
more
integrity. This issue has been patched in version 0.16.3.
Deeper analysisAI
CVE-2026-33125 is an improper authorization vulnerability (CWE-285) affecting Frigate, an open-source network video recorder (NVR) with realtime local object detection for IP cameras. The issue exists in versions 0.16.2 and prior, where users assigned the viewer role are able to delete admin and low-privileged user accounts. This flaw has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H), indicating high severity due to its potential for significant availability impact with low integrity impact.
An attacker with a valid viewer role account can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By deleting admin or other low-privileged user accounts, the attacker can cause a denial of service (DoS) on the system and compromise data integrity, potentially disrupting access to the NVR and its recorded footage.
The Frigate project has addressed this issue in version 0.16.3, as detailed in the release notes and security advisory. Security practitioners should upgrade to 0.16.3 or later and review user permissions to ensure viewer roles lack elevated privileges. Relevant details are available in the GitHub release at https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3 and the advisory at https://github.com/blakeblackshear/frigate/security/advisories/GHSA-vg28-83rp-8xx4.
Details
- CWE(s)