CVE-2026-33126

Published: Mar 20, 2026Modified: Mar 23, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery (SSRF) attacks. An attacker can use the Frigate server to make HTTP requests to internal network resources, cloud metadata services, or perform port scanning. This issue has been patched in version 0.16.3.

Affected (1)

Products: Frigate: Frigate

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Frigate Frigate	Before 0.16.3

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/blakeblackshear/frigate/security/advisories/GHSA-j6g3-3j3q-c2xv

Source: security-advisories@github.com

ExploitMitigationVendor Advisory

Timeline

No history available yet.