Frigate is an open-source network video recorder (NVR) software that supports real-time local object detection for IP cameras. In version 0.17.0, a broken access control vulnerability (CWE-863) was introduced due to an incomplete API refactor. Specifically, the endpoint /api/config/raw allows any authenticated user, including non-admins, to retrieve the entire raw configuration file (config.yml). This file contains sensitive information such as camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and other secrets that are normally redacted in the standard /api/config endpoint. The intended design was to restrict access to sensitive configuration data to admin users only, as correctly enforced on /api/config/raw_paths. However, /api/config/raw was left accessible to all authenticated users, exposing critical secrets. This vulnerability requires authentication but no further user interaction. The CVSS 3.1 base score is 6.5 (medium severity), reflecting high confidentiality impact but no impact on integrity or availability. The flaw was fixed in version 0.17.1 by properly restricting access to /api/config/raw to admin users only. There are no known exploits in the wild at the time of publication. The vulnerability highlights the risk of incomplete access control enforcement in API endpoints, especially when dealing with sensitive configuration data in security-focused software like NVRs.

The primary impact of this vulnerability is the exposure of sensitive credentials and secrets stored in the Frigate configuration file to any authenticated user, including those with limited privileges. This can lead to unauthorized disclosure of camera credentials, stream access credentials, MQTT broker passwords, and proxy secrets. Attackers or malicious insiders with non-admin access could leverage these secrets to gain unauthorized access to video streams, intercept or manipulate MQTT messages, or pivot within the network. Although the vulnerability does not allow modification of data or denial of service, the confidentiality breach can severely compromise the security and privacy of surveillance systems. Organizations relying on Frigate for IP camera management and monitoring could face risks of surveillance footage exposure, unauthorized surveillance, and potential lateral movement within their networks. The impact is particularly critical in sensitive environments such as corporate offices, government facilities, and critical infrastructure where video surveillance confidentiality is paramount.

1. Upgrade Frigate to version 0.17.1 or later, where the access control issue on /api/config/raw is properly fixed. 2. Until upgrade is possible, restrict access to the Frigate API endpoints by network segmentation and firewall rules to limit authenticated users to trusted administrators only. 3. Review and rotate all exposed credentials and secrets stored in the Frigate configuration, including camera passwords, stream credentials, MQTT passwords, and proxy secrets, to mitigate any potential compromise. 4. Implement strict role-based access control (RBAC) policies to ensure only necessary users have authenticated access to the Frigate API. 5. Monitor API access logs for unusual or unauthorized access patterns to sensitive endpoints. 6. Consider encrypting sensitive configuration data at rest and in transit where possible. 7. Conduct regular security audits and code reviews when upgrading or refactoring API endpoints to prevent incomplete access control enforcement.