Frigate is an open-source network video recorder (NVR) designed for real-time local object detection on IP camera streams. Versions prior to 0.16.3 contain a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2026-33126. The vulnerability resides in the /ffprobe HTTP endpoint, which accepts URLs as input parameters to probe media streams. Due to insufficient validation of these URLs, an attacker with limited privileges can supply arbitrary URLs, causing the Frigate server to initiate HTTP requests to unintended destinations. This can be leveraged to access internal network resources that are otherwise inaccessible externally, such as private IP ranges, internal services, or cloud provider metadata endpoints (e.g., AWS EC2 metadata service). Additionally, attackers can perform port scanning of internal hosts by observing response behaviors. The vulnerability does not directly impact confidentiality but can lead to information leakage and internal network reconnaissance, which may facilitate further attacks. Exploitation requires the attacker to have at least some level of access to the Frigate interface or API (privileges), but no user interaction is needed. The vulnerability has been addressed in Frigate version 0.16.3 by implementing proper URL validation and request restrictions. No known exploits have been reported in the wild as of the publication date.

The primary impact of this SSRF vulnerability is the potential exposure of internal network resources and cloud metadata services to attackers who can interact with the vulnerable Frigate instance. This can lead to unauthorized information disclosure, such as internal IP addresses, service endpoints, and sensitive metadata that could include credentials or tokens. Attackers may use this information to pivot within the network, escalate privileges, or launch further targeted attacks. For organizations relying on Frigate for video surveillance, this could compromise the confidentiality and integrity of their internal infrastructure. While the vulnerability does not directly cause denial of service or data corruption, the reconnaissance capabilities it enables can significantly increase the attack surface. The medium CVSS score reflects the moderate risk due to the requirement for some privileges and the lack of direct impact on availability or confidentiality. However, in environments where Frigate is exposed to untrusted users or integrated with critical internal systems, the risk is elevated.

Organizations should immediately upgrade Frigate to version 0.16.3 or later, where the SSRF vulnerability has been patched with proper URL validation. Until upgrading is possible, restrict access to the /ffprobe endpoint to trusted users and networks only, using network segmentation, firewall rules, or API access controls. Implement strict authentication and authorization mechanisms to ensure only authorized personnel can interact with Frigate's API endpoints. Monitor logs for unusual or unexpected requests to the /ffprobe endpoint that may indicate exploitation attempts. Additionally, consider deploying web application firewalls (WAFs) that can detect and block SSRF patterns. For cloud deployments, restrict metadata service access using instance metadata service version 2 (IMDSv2) or equivalent protections to reduce risk from SSRF attacks. Regularly audit and update all components of the video surveillance infrastructure to minimize exposure to known vulnerabilities.