Platform
python
Component
frigate
Fixed in
0.17.1
CVE-2026-33124 is a vulnerability in Frigate, a network video recorder (NVR) with real-time object detection. This flaw allows authenticated users to modify their passwords without verifying their current credentials, potentially leading to unauthorized account access. The vulnerability affects versions of Frigate prior to 0.17.0-beta1. A fix has been released in version 0.17.0-beta1.
An attacker exploiting CVE-2026-33124 can gain complete control of a Frigate user account. This is achieved by leveraging a valid session token—obtained through accidental JWT exposure, cookie theft, XSS attacks, compromised devices, or insecure HTTP connections—to change the victim's password. Critically, the password change does not invalidate existing JWT tokens, meaning the attacker retains persistent access even after the password is altered. This allows for unauthorized access to the NVR's video streams, configuration settings, and potentially other connected devices within the network. The blast radius extends to any data accessible through the Frigate interface, including live and recorded video footage, user accounts, and system configurations.
CVE-2026-33124 was publicly disclosed on 2026-03-20. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability's reliance on an existing, valid JWT token suggests exploitation would require a pre-existing compromise or access to sensitive information. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33124 is to immediately upgrade Frigate to version 0.17.0-beta1 or later. If upgrading is not immediately feasible, consider implementing stricter JWT token management practices. Revoke existing JWT tokens after password changes, even if it requires a service restart. Additionally, enforce strong password policies within Frigate to reduce the likelihood of brute-force attacks. Review network configurations to ensure secure communication channels (HTTPS) are used to prevent token sniffing. After upgrading, confirm the fix by attempting a password change with an existing JWT token; the change should fail and the token should be invalidated.
Update Frigate to version 0.17.0-beta1 or later. This version fixes the vulnerability that allows password changes without verification and the lack of password strength validation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33124 allows authenticated Frigate users to change passwords without verifying their current password, impacting versions ≤ 0.17.0-beta1. Attackers can leverage existing JWT tokens for persistent account takeover.
If you are running Frigate version 0.17.0-beta1 or earlier, you are potentially affected by this vulnerability. Review your deployment and upgrade as soon as possible.
Upgrade Frigate to version 0.17.0-beta1 or later to mitigate this vulnerability. If immediate upgrade is not possible, implement stricter JWT token management practices.
There is currently no evidence of active exploitation campaigns targeting CVE-2026-33124, but the vulnerability's potential impact warrants immediate attention.
Refer to the Frigate project's official communication channels and release notes for the advisory related to CVE-2026-33124.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.