Frigate NVR Command Injection Bug Allowed Admin-Level RCE (CVE-2026-25643)
Frigate has long been positioned as a privacy-first, self-hosted camera solution. However, CVE-2026-25643 shows how a single input validation flaw can undermine that model.
CVE-2026-25643 stems from insufficient input validation in Frigate’s integration of go2rtc’s exec: stream feature.
What Actually Happened
Frigate versions before 0.16.4 let you inject OS commands straight into the config.yaml file through the exec: directive. The go2rtc streaming service would then execute the supplied command without sufficient validation. Many deployments run Frigate in privileged Docker mode to enable hardware acceleration.
In certain configurations, this could turn a camera service into a high-impact attack surface.
How This Works
The vulnerability sits in how Frigate handles stream configuration. You edit config.yaml and define a camera stream using go2rtc’s exec: prefix. This tells go2rtc to execute whatever command you specify. The integration did not validate user-controlled input passed to the exec: directive.
First, you inject a malicious stream definition into the config. Something like exec:/bin/bash -c 'your evil payload here'. Then you configure a dummy camera to actually use that stream, because the command only executes when the stream is active. After restarting the service via the UI, the injected command executes with the container’s runtime privileges.
The worst part? Because Frigate needs privileged mode to access hardware like Coral TPUs or GPU acceleration, your injected commands inherit CAP_SYS_ADMIN capabilities. In privileged containers, injected commands may inherit broad capabilities (including CAP_SYS_ADMIN), potentially allowing host-level impact depending on configuration.
Who Should Care
If you’re running Frigate, you should care. If you’re running Home Assistant with camera integration, you should care. If you’re one of the 30,000 people who starred the Frigate repo on GitHub thinking you were getting privacy-focused surveillance, you should definitely care.
This hits hard if you exposed your Frigate instance to the internet without auth (which the advisory specifically mentions). That turns this from an authenticated admin issue into a full unauthenticated RCE if authentication was disabled.
Why This Happened
The Frigate devs integrated go2rtc, which has an exec: feature for running arbitrary commands. That’s fine for advanced users who need custom stream handling. However, the integration did not sanitize shell-executed input.
This is the same class of bug that’s been killing web apps for decades. Command injection. It’s taught in every security course. And yet here we are in 2026 with a home security product that lets you exec: your way to root due to missing input validation in the go2rtc integration.
The privileged Docker mode makes it worse. Many users run Frigate in privileged mode because that’s how you get hardware acceleration working. In deployments running Docker in privileged mode, injected commands may inherit elevated capabilities (such as CAP_SYS_ADMIN). Depending on host configuration and exposed devices, this can increase the risk of host-level impact.
What To Do
If you’re running Frigate <= 0.16.3: Update to 0.16.4 immediately. Pull the latest Docker image and restart. The fix is out there. Use it.
For Docker users:
doas docker pull ghcr.io/blakeblackshear/frigate:0.16.4
doas docker restart frigate
Check your version in the Frigate UI. If it says 0.16.3 or lower, you’re vulnerable.
Network-level mitigations: Limit access to the Frigate web interface to trusted admin networks only. Avoid exposing the Frigate web interface directly to the internet. Use VPN or a properly configured reverse proxy with authentication.
Config audit: Review your config.yaml for any suspicious exec: directives. If you see streams using exec that you didn’t explicitly configure, someone might have already popped you.
Quick Reference
| Detail | Information |
|---|---|
| CVE ID | CVE-2026-25643 |
| CVSS Score | 9.1 Critical |
| Vulnerability Type | OS Command Injection (CWE-78) |
| Attack Vector | Network-based |
| Authentication | Required (admin or none if exposed) |
| Affected Versions | Frigate <= 0.16.3 |
| Fixed Version | Frigate 0.16.4+ |
| Patch Date | January 29, 2026 |
| Public PoC | Yes |
| Container Escape | Yes (privileged mode) |
FAQ
Q: Do I need admin access to exploit this?
A: Technically yes, but if you exposed Frigate without authentication, anyone becomes admin. The advisory explicitly mentions this scenario.
Q: Is there a working exploit?
A: Yes. The researcher published a full PoC with example payloads for reverse shells, secret extraction. It’s on GitHub right now.
Q: Can this be exploited remotely?
A: Absolutely. Network attack vector, no user interaction required. If you can reach the Frigate web UI and authenticate (or if auth is disabled), you’re in.
Q: How do I know if I’ve been compromised?
A: Check your config.yaml for unexpected exec: stream definitions. Review Docker logs for suspicious command execution. Look for new processes or network connections you didn’t initiate.
Q: Will updating break my cameras?
A: No. Version 0.16.4 only adds input validation to the go2rtc integration. Your legit camera configs will work fine. Just update already.
Why This Matters
Here’s the real problem with security software. You can have all the encryption, all the local processing, all the privacy-first architecture you want. However, a single input validation failure at an integration boundary can undermine otherwise strong architectural security properties.
Frigate was supposed to be the answer to surveillance capitalism. No Ring. No Nest. No cloud processing. Just you, your cameras, and your local network. But it turns out that running your own security infrastructure means you’re also responsible for securing it. And when the devs don’t sanitize command injection vectors, a compromised administrative interface can significantly escalate impact, particularly in privileged deployments.
The Home Assistant community needs to internalize this. Self-hosted doesn’t automatically mean secure. Open source doesn’t automatically mean audited. And hardware acceleration requirements that force privileged containers create massive blast radius for bugs exactly like this one.
The Bottom Line
Frigate’s go2rtc integration had a command injection bug that let authenticated users execute arbitrary OS commands with elevated privileges. The fix is out. Update to 0.16.4 or later. If your instance was exposed to the internet without authentication, review logs and configuration carefully and consider a broader system audit.
Stay safe out there.
References & Further Reading: