Vulnerability Description
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery (SSRF) attacks. An attacker can use the Frigate server to make HTTP requests to internal network resources, cloud metadata services, or perform port scanning. This issue has been patched in version 0.16.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Frigate | Frigate | < 0.16.3 |
Related Weaknesses (CWE)
References
- https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3ProductRelease Notes
- https://github.com/blakeblackshear/frigate/security/advisories/GHSA-j6g3-3j3q-c2ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-33126?
CVE-2026-33126 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper vali...
How severe is CVE-2026-33126?
CVE-2026-33126 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33126?
Check the references section above for vendor advisories and patch information. Affected products include: Frigate Frigate.