NIXPKGS-2026-0810

GitHub issue published 2 months, 4 weeks ago

Permalink CVE-2026-33470

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 4 weeks ago
@LeSuisse ignored package home-assistant-custom-components.frigate 2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

Frigate has cross-camera snapshot disclosure via unrestricted timeline IDs and missing authorization in /api/events/{event_id}/snapshot-clean.webp

Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In version 0.17.0, a low-privilege authenticated user restricted to one camera can access snapshots from other cameras. This is possible through a chain of two authorization problems: `/api/timeline` returns timeline entries for cameras outside the caller's allowed camera set, then `/api/events/{event_id}/snapshot-clean.webp` declares `Depends(require_camera_access)` but never actually validates `event.camera` after looking up the event. Together, this allows a restricted user to enumerate event IDs from unauthorized cameras and then fetch clean snapshots for those events. Version 0.17.1 fixes the issue.

References

https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g x_refsource_CONFIRMexploit

Affected products

frigate

=== 0.17.0

Matching in nixpkgs

pkgs.frigate

NVR with realtime local object detection for IP cameras

nixos-unstable 0.17.0
- nixpkgs-unstable 0.17.0
- nixos-unstable-small 0.17.0

pkgs.pkgsRocm.frigate

NVR with realtime local object detection for IP cameras

nixos-unstable 0.17.0
- nixpkgs-unstable 0.17.0
- nixos-unstable-small 0.17.0

Ignored packages (1)

pkgs.home-assistant-custom-components.frigate

Provides Home Assistant integration to interface with a separately running Frigate service

nixos-unstable 5.14.2
- nixpkgs-unstable 5.14.2
- nixos-unstable-small 5.14.2

Package maintainers

@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>

Upstream advisory: https://github.com/blakeblackshear/frigate/security/advisories/GHSA-m2mg-pj9p-2r7g

Nixpkgs security tracker