Remote Code Execution Vulnerability (CVE‑2026‑25643) in Frigate NVR 0.16.3 Exposes Surveillance Systems
What Happened – A publicly‑available exploit (EDB‑52533) targets CVE‑2026‑25643 in Frigate NVR ≤ 0.16.3, allowing unauthenticated or low‑privilege attackers to execute arbitrary commands on the host running the Docker container. The flaw resides in the /api/config/save endpoint, which accepts a crafted YAML payload that triggers code execution.
Why It Matters for TPRM –
- Compromise of video‑surveillance infrastructure can reveal physical‑security details, employee movements, and proprietary processes.
- RCE on a Docker host can pivot to other services in the same environment, expanding the attack surface of a third‑party provider.
- Many organizations rely on Frigate as an open‑source component of their security‑camera stack, often without formal vendor risk assessments.
Who Is Affected – Companies deploying Frigate NVR in on‑premise or cloud‑hosted Docker environments across sectors such as retail, manufacturing, logistics, and critical infrastructure.
Recommended Actions –
- Verify the version of Frigate in use; upgrade immediately to 0.17.0 or later where the issue is patched.
- If upgrade is not possible, block external access to the
/api/config/*endpoints via firewall or reverse‑proxy rules. - Conduct a configuration review to ensure default credentials are not in use and that API authentication is enforced.
- Add the container to your vulnerability‑management scan list and monitor for indicators of compromise (unexpected outbound connections, new processes).
Technical Notes – The exploit abuses improper input validation in the save_option=restart API call, injecting malicious YAML that the backend deserializes, leading to command execution on the host OS. No CVE‑specific patch existed at the time of disclosure; the vendor released an advisory (GHSA‑4c97‑5jmr‑8f6x) and a fixed release. Affected data includes video streams, system logs, and any files accessible to the Docker container. Source: Exploit‑DB 52533