FKIE_CVE-2026-25643

Vulnerability from fkie_nvd - Published: 2026-02-06 20:16 - Updated: 2026-02-11 19:00
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4.
References
security-advisories@github.comhttps://github.com/blakeblackshear/frigate/releases/tag/v0.16.4Release Notes
security-advisories@github.comhttps://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6xVendor Advisory, Exploit
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6xVendor Advisory, Exploit
Impacted products
Vendor Product Version
frigate frigate *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:frigate:frigate:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AF9FEB51-0493-421E-9817-A5A88857FBD9",
              "versionEndExcluding": "0.16.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4."
    },
    {
      "lang": "es",
      "value": "Frigate es un grabador de video en red (NVR) con detecci\u00f3n de objetos local en tiempo real para c\u00e1maras IP. Antes de la versi\u00f3n 0.16.4, se ha identificado una cr\u00edtica vulnerabilidad de Ejecuci\u00f3n Remota de Comandos (RCE) en la integraci\u00f3n de Frigate con go2rtc. La aplicaci\u00f3n no sanitiza la entrada del usuario en la configuraci\u00f3n del flujo de video (config.yaml), permitiendo la inyecci\u00f3n directa de comandos del sistema a trav\u00e9s de la directiva exec:. El servicio go2rtc ejecuta estos comandos sin restricciones. Esta vulnerabilidad solo es explotable por un administrador o usuarios que han expuesto su instalaci\u00f3n de Frigate a internet abierta sin autenticaci\u00f3n, lo que permite a cualquiera un control administrativo total. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.16.4."
    }
  ],
  "id": "CVE-2026-25643",
  "lastModified": "2026-02-11T19:00:39.877",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-06T20:16:11.607",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/blakeblackshear/frigate/releases/tag/v0.16.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory",
        "Exploit"
      ],
      "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Vendor Advisory",
        "Exploit"
      ],
      "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        },
        {
          "lang": "en",
          "value": "CWE-250"
        },
        {
          "lang": "en",
          "value": "CWE-269"
        },
        {
          "lang": "en",
          "value": "CWE-668"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.