CVE-2026-33125

Name of the Vulnerable Software and Affected Versions Frigate versions 0.16.2 and below

Description Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Users with the viewer role can delete admin and low-privileged user accounts, potentially leading to denial of service and affecting data integrity. The API endpoint DELETE /api/users/admin is accessible to unauthorized users. A proof of concept demonstrates the deletion of an admin user on demo.frigate.video.

Recommendations Versions prior to 0.16.3 should be updated. Restrict access to the DELETE /api/users/admin endpoint to authenticated admin users only by adding dependencies=[Depends(require role(["admin"]))]) to the endpoint.