CVE-2026-33126— Frigate has SSRF vulnerability in /ffprobe endpoint
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33126
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Frigate has SSRF vulnerability in /ffprobe endpoint
Source: NVD (National Vulnerability Database)
Vulnerability Description
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery (SSRF) attacks. An attacker can use the Frigate server to make HTTP requests to internal network resources, cloud metadata services, or perform port scanning. This issue has been patched in version 0.16.3.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Frigate 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Frigate是Blake Blackshear个人开发者的一款专为具有 AI 对象检测功能的家庭助理设计的完整本地 NVR。 Frigate 0.16.3之前版本存在代码问题漏洞,该漏洞源于/ffprobe端点接受任意用户控制的URL,可能导致服务端请求伪造攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| blakeblackshear | frigate | < 0.16.3 | - |
II. Public POCs for CVE-2026-33126
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33126
请登录查看更多情报信息。
- Release 0.16.3 Release · blakeblackshear/frigate · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-33126
Same Patch Batch · blakeblackshear · 2026-03-20 · 3 CVEs total
| CVE-2026-33125 | 7.1 HIGH | Frigate Broken Access Control: Users assigned the viewer role can delete admin and other l |
| CVE-2026-33124 | Frigate has insecure password change functionality |
IV. Related Vulnerabilities
Same product: frigate
- CVE-2026-33470
Frigate has cross-camera snapshot disclosure via unrestricte - CVE-2026-33469
Authenticated Frigate users can read the full unredacted con - CVE-2026-33125
Frigate Broken Access Control: Users assigned the viewer rol - CVE-2026-33124
Frigate has insecure password change functionality - CVE-2026-25643
Frigate Affected by Authenticated Remote Command Execution (
Same vendor: blakeblackshear
- CVE-2026-33470
Frigate has cross-camera snapshot disclosure via unrestricte - CVE-2026-33469
Authenticated Frigate users can read the full unredacted con - CVE-2026-33125
Frigate Broken Access Control: Users assigned the viewer rol - CVE-2026-33124
Frigate has insecure password change functionality - CVE-2026-25643
Frigate Affected by Authenticated Remote Command Execution (
Same weakness: CWE-918
- CVE-2026-8193
Akaunting Invoice PDF Rendering dompdf.php server-side reque - CVE-2026-44313
LinkWarden: Server-Side Request Forgery (SSRF) in Link Creat - CVE-2026-42352
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processe - CVE-2026-42346
Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validatio - CVE-2026-42339
New API: SSRF Filter Bypass via 0.0.0.0
V. Comments for CVE-2026-33126
No comments yet