Frigate Broken Access Control: Users assigned the viewer role can delete admin and other low-privileged accounts

Vulnerability

CVE-2026-33125 is a broken access control vulnerability in Frigate, a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, the endpoint DELETE /api/users/admin is exposed to unauthenticated users, allowing any authenticated user, even those with the low-privilege viewer role, to delete admin and other user accounts [1][4]. The root cause is a missing role-based access control check on the delete endpoint [4].

Exploitation

Exploitation requires a valid authenticated session on the Frigate instance [3][4]. An attacker with viewer-level credentials (or any authenticated user) can send a DELETE request to the /api/users/admin endpoint, targeting any account, including the admin account. No special privileges beyond authentication are needed, making the attack simple to execute once access is obtained [4].

Impact

Successful deletion of user accounts, especially the admin account, can result in denial of service, as legitimate users lose access to the system and administrative control may be lost. Additionally, data integrity is affected because user account records are permanently removed [1][4]. The attack can render the NVR inoperable for management purposes.

Mitigation

The issue has been patched in Frigate version 0.16.3, which restricts the delete endpoint to authenticated admin users only by adding a role requirement [3][4]. Users are strongly advised to upgrade to 0.16.3 or later. No workaround is provided for older versions.