CVE-2026-33469

Name of the Vulnerable Software and Affected Versions Frigate version 0.17.0

Description Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated, non-administrator user can access the complete, unredacted Frigate configuration through the /api/config/raw API endpoint. This access exposes sensitive information intentionally hidden from the /api/config endpoint, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in the config.yml file. This issue stems from a broken access control mechanism introduced during the refactoring of the administrator API. Specifically, while /api/config/raw paths is restricted to administrators, the /api/config/raw endpoint remains accessible to any authenticated user. The vulnerable parameter is not explicitly mentioned.

Recommendations Update to version 0.17.1 or later to resolve this issue.