CVE-2026-54652 in Frigate
Summary
by MITRE • 07/08/2026
Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/{service} endpoint allows any authenticated user including the viewer role to download Frigate and nginx logs, exposing auto-generated admin passwords and camera credentials logged in request query strings and enabling viewer-to-admin privilege escalation. A fixed release has not been identified.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability exists within the Frigate network video recorder application at version 0.17.1 where the GET /api/logs/{service} endpoint fails to properly enforce authorization controls for log file access. This represents a critical privilege escalation issue that undermines the application's security model by allowing users with minimal viewer permissions to obtain sensitive system information through unauthorized access to system logs. The flaw occurs because the application does not validate whether the authenticated user possesses sufficient privileges to access specific log files, particularly those containing administrative credentials and camera configuration details.
The technical implementation of this vulnerability stems from inadequate access control mechanisms within the API endpoint design. When authenticated users request log data through the /api/logs/{service} path, the system fails to verify that the requesting user has appropriate administrative clearance before granting access to sensitive logging information. This oversight enables any authenticated user regardless of their assigned role to retrieve logs that contain auto-generated admin passwords and camera credentials that are inadvertently logged in query strings during API interactions. The exposure occurs because the application's logging mechanism does not sanitize or filter sensitive data from being written to log files, creating a persistent security risk.
The operational impact of this vulnerability extends beyond simple information disclosure to enable full administrative privilege escalation. A viewer role user can exploit this flaw to obtain system administrator passwords that allow complete control over the Frigate installation and all connected camera systems. Additionally, the exposure of camera credentials in query string parameters within logs creates a direct pathway for unauthorized access to surveillance equipment, potentially compromising entire security ecosystems. This vulnerability affects organizations relying on Frigate for network video monitoring who may unknowingly grant administrative capabilities to untrusted users through this privilege escalation vector.
This vulnerability aligns with CWE-285 (Improper Authorization) and represents a failure in the principle of least privilege enforcement within the application's API access controls. The flaw also corresponds to ATT&CK technique T1078 (Valid Accounts) as it enables attackers to leverage legitimate user credentials obtained through information disclosure to assume administrative roles. Organizations should immediately implement network segmentation to restrict access to the API endpoints, disable unnecessary logging of sensitive data, and enforce role-based access controls that properly validate user privileges before granting log file access. The lack of a fixed release at the time of analysis indicates that organizations must deploy immediate workarounds including API endpoint restrictions and enhanced monitoring of log access patterns.
The security implications of this vulnerability extend to broader compliance requirements under standards such as NIST SP 800-53 and ISO/IEC 27001, which mandate proper access controls and privilege management for system administrators. Organizations should implement mandatory logging of all API access attempts including user roles and requested resources, deploy automated monitoring for unusual log file access patterns, and conduct immediate audit reviews to identify any potential exploitation of this vulnerability across their network video surveillance infrastructure. The absence of a patched release at the time of analysis necessitates that security teams implement compensating controls such as API gateway rate limiting, enhanced authentication mechanisms, and regular security scanning of application endpoints for similar authorization bypass vulnerabilities.