CVE-2026-33470

Name of the Vulnerable Software and Affected Versions Frigate version 0.17.0

Description Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. A low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible due to authorization problems in two API endpoints: /api/timeline returns timeline entries for cameras outside the caller's allowed camera set, and /api/events/{event id}/snapshot-clean.webp does not validate event.camera after looking up the event, despite declaring Depends(require camera access). This allows a restricted user to enumerate event IDs from unauthorized cameras and then fetch clean snapshots for those events using the event id variable.

Recommendations Update to version 0.17.1 or later.