{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33125", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T20:35:49.926Z", "datePublished": "2026-03-20T09:22:39.139Z", "dateUpdated": "2026-03-20T15:39:11.110Z"}, "containers": {"cna": {"title": "Frigate Broken Access Control: Users assigned the viewer role can delete admin and other low-privileged accounts", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-vg28-83rp-8xx4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-vg28-83rp-8xx4"}, {"name": "https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3"}], "affected": [{"vendor": "blakeblackshear", "product": "frigate", "versions": [{"version": "< 0.16.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T09:22:39.139Z"}, "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version 0.16.3."}], "source": {"advisory": "GHSA-vg28-83rp-8xx4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:38:59.459780Z", "id": "CVE-2026-33125", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:39:11.110Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version 0.16.3."}], "id": "CVE-2026-33125", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T10:16:19.013", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-vg28-83rp-8xx4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T10:50:24.204406+00:00", "value": {"mitigation_remediation": ["Upgrade Frigate to version 0.16.3 or later to remove the broken access control flaw.", "If an immediate upgrade is not possible, reassign viewer role users to a role that does not permit account deletion or disable the delete\u2011user functionality through configuration to block the exploit until a patch can be applied."], "summary": {"action": "Patch Now", "impact": "Unauthorized account deletion and potential denial of service in Frigate."}, "threat_synthesis": {"affected_systems": "The affected product is Frigate made by blakeblackshear. Versions 0.16.2 and earlier are impacted. The issue was fixed in version 0.16.3, which is available for download in the official releases page.", "description_and_impact": "Frigate, a network video recorder for IP cameras, has a broken access control flaw (CWE\u2011285) that allows users assigned the viewer role to delete admin and other low\u2011privileged accounts. This results in the loss of critical user accounts, which can disrupt normal operation, lead to data integrity issues, and effectively cause a denial of service by removing users necessary for management and monitoring functions.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a moderate\u2011to\u2011high severity. No EPSS data is provided and the vulnerability is not listed in the CISA KEV catalog, suggesting the exploit risk is not yet confirmed but still significant. The attack vector requires an authenticated viewer\u2011level account; an attacker who obtains or compromises such a user can delete admin or other accounts, leading to service disruption. No additional exploitation conditions such as network exposure or privilege escalation are specified by the vendor."}}}}, "created": "2026-03-20T11:05:22.312749+00:00", "updated": "2026-03-20T11:05:22.312784+00:00", "vendors": []}