Frigate is a network video recorder (NVR) software that supports real-time local object detection for IP cameras. Versions before 0.17.0-beta1 contain a critical improper authentication vulnerability (CWE-287) identified as CVE-2026-33124. The flaw resides in the password change functionality exposed at the /users/{username}/password endpoint, which allows authenticated users to change their own password without verifying the current password. This means that if an attacker gains access to a valid JWT session token—potentially through stolen cookies, cross-site scripting (XSS), compromised devices, or network sniffing over unencrypted HTTP—they can change the victim’s password and gain permanent control of the account. Notably, changing the password does not invalidate existing JWT tokens, so any previously obtained tokens remain valid, allowing persistent session hijacking. Additionally, the system does not enforce password strength requirements, increasing susceptibility to brute-force attacks. The vulnerability has a CVSS 4.0 score of 8.6 (high severity), reflecting its ease of exploitation (network attack vector, low complexity, no user interaction) and significant impact on confidentiality and integrity. No known exploits are reported in the wild yet. The vendor addressed this issue in version 0.17.0-beta1 by adding proper authentication checks and presumably improving session invalidation and password policies.

The vulnerability allows attackers who have obtained a valid session token to change user passwords without current password verification, leading to full account takeover. Because existing JWT tokens are not invalidated upon password change, attackers can maintain persistent access even after the victim attempts to reset their password. This undermines the confidentiality and integrity of user accounts and potentially the entire NVR system. Compromised accounts could allow attackers to manipulate video feeds, disable security monitoring, or exfiltrate sensitive surveillance data. The lack of password strength enforcement further increases the risk of brute-force attacks, potentially expanding the attacker base. Organizations relying on Frigate for IP camera management face risks of unauthorized surveillance access, privacy violations, and operational disruptions. The vulnerability’s network-based attack vector and no requirement for user interaction make it highly exploitable in environments where session tokens are exposed or weakly protected.

1. Upgrade all Frigate installations to version 0.17.0-beta1 or later immediately to apply the official fix. 2. Implement strict session management policies: ensure JWT tokens are invalidated upon password changes or logout events to prevent persistent session hijacking. 3. Enforce strong password policies with complexity requirements and rate limiting to mitigate brute-force attacks. 4. Use secure transport protocols (e.g., HTTPS/TLS) exclusively to prevent token interception via network sniffing. 5. Monitor and audit authentication logs for suspicious activities such as unusual password changes or multiple failed login attempts. 6. Employ web application firewalls (WAF) and Content Security Policy (CSP) headers to reduce the risk of XSS attacks that could expose session tokens. 7. Educate users and administrators about the risks of token exposure and encourage secure handling of authentication credentials. 8. Consider implementing multi-factor authentication (MFA) if supported by the platform or via proxy solutions to add an additional security layer.