CVE-2026-33124 in frigate
Summary
by MITRE • 03/20/2026
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Versions prior to 0.17.0-beta1 allow any authenticated user to change their own password without verifying the current password through the /users/{username}/password endpoint. Changing a password does not invalidate existing JWT tokens, and there is no validation of password strength. If an attacker obtains a valid session token (e.g., via accidentally exposed JWT, stolen cookie, XSS, compromised device, or sniffing over HTTP), they can change the victim’s password and gain permanent control of the account. Since password changes do not invalidate existing JWT tokens, session hijacks persist even after a password reset. Additionally, the lack of password strength validation exposes accounts to brute-force attacks. This issue has been resolved in version 0.17.0-beta1.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability described in CVE-2026-33124 affects Frigate NVR software versions prior to 0170-beta1, creating a critical authentication bypass and privilege escalation risk. This flaw exists within the password change functionality exposed through the /users/{username}/password endpoint, where the system fails to validate the current password before allowing modifications. The weakness stems from improper access control implementation, where authenticated users can manipulate their own credentials without proper authorization verification, representing a direct violation of authentication security principles.
The technical implementation of this vulnerability demonstrates a classic lack of input validation and session management security controls. When an attacker obtains a valid session token through various means including accidentally exposed JWT tokens, stolen cookies, cross-site scripting attacks, compromised devices, or network sniffing over unencrypted HTTP connections, they can execute unauthorized password changes against any authenticated user account. This represents a significant security gap that directly violates the principle of least privilege and proper credential management. The absence of password strength validation creates additional exposure points, making accounts vulnerable to brute-force attacks and dictionary attacks that could compromise user accounts through automated credential guessing.
The operational impact of this vulnerability extends beyond simple credential theft, as the system's failure to invalidate existing JWT tokens after password changes creates persistent session hijacking opportunities. Even after victims change their passwords, attackers who already possess valid session tokens can maintain unauthorized access to the system, effectively nullifying the password change as a security measure. This persistent access capability represents a sophisticated attack vector that can remain undetected for extended periods, allowing attackers to maintain long-term access to network video recording systems. The vulnerability affects the integrity and confidentiality of video surveillance data, potentially exposing sensitive security footage to unauthorized access.
Security controls and mitigations for this vulnerability should address both the immediate authentication bypass and the session management flaws. Organizations should immediately upgrade to Frigate version 0170-beta1 or later, which implements proper password verification mechanisms and JWT token invalidation upon password changes. Network administrators must also implement additional security measures including mandatory HTTPS encryption for all communications, proper session token management, and enforcement of strong password policies. The implementation of these fixes aligns with industry standards such as CWE-307, which addresses improper restriction of excessive authentication attempts, and follows ATT&CK framework techniques related to credential access and privilege escalation. Organizations should also conduct thorough security assessments of their network video recording systems to identify and remediate similar authentication weaknesses that could exist in other components of their security infrastructure.