PT-2026-26098 · Pypi · Frigate
Published
2026-03-18
·
Updated
2026-03-18
·
CVE-2026-33125
CVSS v3.1
7.1
High
| AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H |
Summary
Users with the viewer role can delete admin and other users account. It this leads to denial of service and affects data integrity.
Details
Endpoint
DELETE /api/users/admin is enable to anonymous user.PoC
I deleted admin user on
demo.frigate.video:Impact
It this leads to denial of service and affects data integrity.
Recommended Fixes
Restrict access to the endpoint to authenticated admin users only:
Add
dependencies=[Depends(require role(["admin"]))]) to this endpoint.Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Frigate