Nixpkgs Security Tracker

Login with GitHub

Details of issue NIXPKGS-2026-0789

NIXPKGS-2026-0789
published on 27 Mar 2026
Permalink CVE-2026-33469
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 1 day ago by @LeSuisse Activity log
  • Created automatic suggestion 1 day, 9 hours ago
  • @LeSuisse removed package home-assistant-custom-components.frigate 1 day ago
  • @LeSuisse accepted 1 day ago
  • @LeSuisse published on GitHub 1 day ago
Authenticated Frigate users can read the full unredacted configuration via `/api/config/raw

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through `/api/config/raw`. This exposes sensitive values that are intentionally redacted from `/api/config`, including camera credentials, go2rtc stream credentials, MQTT passwords, proxy secrets, and any other secrets stored in `config.yml`. This appears to be a broken access control issue introduced by the admin-by-default API refactor: `/api/config/raw_paths` is admin-only, but `/api/config/raw` is still accessible to any authenticated user. Version 0.17.1 contains a patch.

References

Affected products

frigate
  • === 0.17.0

Matching in nixpkgs

Ignored packages (1)

Package maintainers

Upstream advisory: https://github.com/blakeblackshear/frigate/security/advisories/GHSA-26g3-f8g8-9ffh