प्लेटफ़ॉर्म
python
घटक
frigate
में ठीक किया गया
0.17.1
CVE-2026-33124 is a vulnerability in Frigate, a network video recorder (NVR) with real-time object detection. This flaw allows authenticated users to modify their passwords without verifying their current credentials, potentially leading to unauthorized account access. The vulnerability affects versions of Frigate prior to 0.17.0-beta1. A fix has been released in version 0.17.0-beta1.
An attacker exploiting CVE-2026-33124 can gain complete control of a Frigate user account. This is achieved by leveraging a valid session token—obtained through accidental JWT exposure, cookie theft, XSS attacks, compromised devices, or insecure HTTP connections—to change the victim's password. Critically, the password change does not invalidate existing JWT tokens, meaning the attacker retains persistent access even after the password is altered. This allows for unauthorized access to the NVR's video streams, configuration settings, and potentially other connected devices within the network. The blast radius extends to any data accessible through the Frigate interface, including live and recorded video footage, user accounts, and system configurations.
CVE-2026-33124 was publicly disclosed on 2026-03-20. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability's reliance on an existing, valid JWT token suggests exploitation would require a pre-existing compromise or access to sensitive information. It is not currently listed on the CISA KEV catalog.
Organizations and individuals using Frigate for network video recording, particularly those with deployments using HTTP instead of HTTPS, are at risk. Shared hosting environments where multiple users share a single Frigate instance are also particularly vulnerable, as a compromise of one user account could lead to the compromise of others.
• python / server:
# Check for Frigate versions prior to 0.17.0-beta1
ps aux | grep -i frigate | grep -i '0.17.0-beta1'• generic web:
# Check for exposed JWT tokens in browser history or network traffic using browser developer tools or network analysis tools.disclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (14% शतमक)
CISA SSVC
The primary mitigation for CVE-2026-33124 is to immediately upgrade Frigate to version 0.17.0-beta1 or later. If upgrading is not immediately feasible, consider implementing stricter JWT token management practices. Revoke existing JWT tokens after password changes, even if it requires a service restart. Additionally, enforce strong password policies within Frigate to reduce the likelihood of brute-force attacks. Review network configurations to ensure secure communication channels (HTTPS) are used to prevent token sniffing. After upgrading, confirm the fix by attempting a password change with an existing JWT token; the change should fail and the token should be invalidated.
फ्रिगेट को 0.17.0-beta1 या बाद के संस्करण में अपडेट करें। यह संस्करण पासवर्ड सत्यापन के बिना बदलने और पासवर्ड की ताकत सत्यापन की कमी की अनुमति देने वाले भेद्यता को ठीक करता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-33124 allows authenticated Frigate users to change passwords without verifying their current password, impacting versions ≤ 0.17.0-beta1. Attackers can leverage existing JWT tokens for persistent account takeover.
If you are running Frigate version 0.17.0-beta1 or earlier, you are potentially affected by this vulnerability. Review your deployment and upgrade as soon as possible.
Upgrade Frigate to version 0.17.0-beta1 or later to mitigate this vulnerability. If immediate upgrade is not possible, implement stricter JWT token management practices.
There is currently no evidence of active exploitation campaigns targeting CVE-2026-33124, but the vulnerability's potential impact warrants immediate attention.
Refer to the Frigate project's official communication channels and release notes for the advisory related to CVE-2026-33124.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।