Security: blakeblackshear/frigate
Security
No security policy detected
This project has not set up a SECURITY.md file yet.
Report a vulnerability-
go2rtc WebSocket live stream camera access bypass (role-restricted users)GHSA-hh3j-7g2f-43j2 published
Jun 28, 2026 by blakeblackshearModerate -
Incomplete patch of CVE-2025-62382: `image_path` backslash-separator bypass of `pathvalidate.sanitize_filepath` + `startswith(CLIPS_DIR)` reaches `shutil.copy` arbitrary host-file readGHSA-pqfr-m69j-4mq2 published
Jun 28, 2026 by blakeblackshearHigh -
Incomplete patch of CVE-2026-25643: go2rtc exec:/echo:/expr: prefix block is bypassed when a stream value is a YAML mapping with a `url` key (RCE + container escape)GHSA-r57j-5jm9-hpcc published
Jun 28, 2026 by blakeblackshearCritical -
RTSP credentials leak to viewer role via nginx proxy_cacheGHSA-4vfc-hxpj-f7x7 published
Jun 28, 2026 by blakeblackshearModerate -
Authenticated Admin Can Achieve RCE via go2rtc Stream API — exec: Filter Not Enforced at API LayerGHSA-wwww-5h25-jf98 published
Jun 28, 2026 by blakeblackshearCritical -
Authenticated viewer can read /api/logs/frigate and /api/logs/nginx, exposing the auto-generated admin password and camera RTSP/ONVIF credentials (viewer-to-admin privilege escalation)GHSA-c4qf-xxq4-vf55 published
Jun 28, 2026 by blakeblackshearHigh -
Camera ACL bypass via Nginx static locations allows authenticated users to access recordings from unauthorized camerasGHSA-74x4-gw64-2mq5 published
Jun 28, 2026 by blakeblackshearModerate -
Viewer-Role User Can Access go2rtc Internal API to obtain sensitive informationGHSA-mgh5-cr9h-g6hr published
Jun 28, 2026 by blakeblackshearHigh -
WebSocket Missing Authorization — Viewer Can Execute Admin-Only OperationsGHSA-r5fm-h944-8chq published
Jun 28, 2026 by blakeblackshearHigh -
Cross-camera snapshot disclosure via unrestricted timeline IDs and missing authorization in /api/events/{event_id}/snapshot-clean.webpGHSA-m2mg-pj9p-2r7g published
Mar 22, 2026 by blakeblackshearModerate
Learn more about advisories related to blakeblackshear/frigate in the GitHub Advisory Database