Password Management Vulnerability in Frigate NVR by Blake Blackshear
CVE-2026-33124

8.6HIGH

Key Information:

Vendor: Blakeblackshear
Status: Frigate
Vendor: CVE Published:; 20 March 2026

🔔 Create Blakeblackshear Vulnerability Alert

What is CVE-2026-33124?

The Frigate network video recorder has a significant vulnerability where authenticated users can change their passwords without the need to verify their current password. This flaw exists in versions prior to 0.17.0-beta1 and enables an attacker, armed with a valid session token, to change victim passwords and maintain control over their accounts without detection. Additionally, existing JWT tokens remain valid post-password change, allowing session hijacking to persist. The absence of password strength validation makes accounts susceptible to brute-force attacks, posing an increased risk to user security.

Affected Version(s)

frigate < 0.17.0-beta1

References

https://github.com/blakeblackshear/frigate/security/advis...

x_refsource_CONFIRM

https://github.com/blakeblackshear/frigate/commit/152e585...

x_refsource_MISC

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33124 Data

JSON