CVE-2026-33126 in frigate
Summary
by MITRE • 03/20/2026
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery (SSRF) attacks. An attacker can use the Frigate server to make HTTP requests to internal network resources, cloud metadata services, or perform port scanning. This issue has been patched in version 0.16.3.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified as CVE-2026-33126 affects Frigate, a network video recorder system that provides real-time local object detection for IP cameras. This system serves as a critical component in security infrastructure deployments where it processes video feeds from multiple camera sources and performs automated detection tasks. The flaw exists within the /ffprobe endpoint which is designed to analyze media files and extract metadata information. Prior to version 0.16.3, this endpoint failed to properly validate user-provided URLs, creating a significant security gap that could be exploited by malicious actors. The vulnerability classifies as Server-Side Request Forgery (SSRF) under CWE-918, representing a well-documented attack pattern where an attacker manipulates a server into making unintended requests to internal or external systems. This particular implementation flaw allows attackers to leverage the Frigate server as an intermediary for network reconnaissance and exploitation activities.
The technical exploitation of this vulnerability enables attackers to craft malicious requests to the /ffprobe endpoint with arbitrary URLs that can target internal network resources. This capability allows for port scanning operations against internal systems that would normally be inaccessible from external networks, as the Frigate server acts as a proxy for these requests. Additionally, attackers can target cloud metadata services such as AWS metadata endpoints or Azure instance metadata services, potentially extracting sensitive information about cloud infrastructure and credentials. The SSRF attack vector enables unauthorized access to internal resources that may contain sensitive data or systems with elevated privileges, creating a pathway for further compromise within the network environment. The vulnerability demonstrates a critical lack of input validation and access control measures, as the system accepts user-supplied URLs without proper sanitization or restriction mechanisms.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with significant reconnaissance capabilities and potential access to internal network resources. Organizations deploying Frigate systems may unknowingly expose their internal infrastructure to external attackers who can use the compromised system to map network topology, identify running services, and potentially escalate privileges through access to cloud metadata or internal APIs. The vulnerability affects environments where Frigate is deployed in security-critical applications such as surveillance systems, industrial monitoring, or enterprise security infrastructures where the compromise of the NVR system could lead to complete loss of security monitoring capabilities. Furthermore, the attack surface includes potential exploitation of internal services that may not be properly protected or hardened, creating opportunities for privilege escalation or lateral movement within the network. This vulnerability directly impacts the principle of least privilege and demonstrates how a single unvalidated input can create a significant security risk in network infrastructure applications.
Mitigation strategies for CVE-2026-33126 require immediate patching to version 0.16.3 or later, which implements proper URL validation and input sanitization for the /ffprobe endpoint. Organizations should also implement network segmentation and access controls to limit the exposure of Frigate systems to internal network resources. Additional defensive measures include implementing network-based restrictions to prevent outbound connections from the Frigate server to sensitive internal services or cloud metadata endpoints. Security monitoring should be enhanced to detect unusual patterns in requests to the /ffprobe endpoint, particularly those targeting internal IP ranges or metadata services. The implementation of web application firewalls or API gateways can provide additional layers of protection by filtering and validating requests before they reach the vulnerable endpoint. Organizations should also conduct comprehensive security assessments of their Frigate deployments to identify and remediate similar vulnerabilities in other endpoints or components. This vulnerability highlights the importance of proper input validation and the principle of least privilege in security architecture, aligning with ATT&CK technique T1071.004 for application layer protocol usage and T1566 for credential access through network reconnaissance activities. Regular security updates and vulnerability assessments remain essential for maintaining the security posture of network infrastructure systems.