Frigate: RTSP credential leak via shared nginx proxy cache

A user-shared nginx proxy cache lets a logged-in viewer user read admin-only responses, including RTSP camera credentials in cleartext.

Advisory ID: TP-2026-029
Product: Frigate (self-hosted NVR with AI object detection)
Vulnerability type: Sensitive information exposure through a shared cache (CWE-524)
CVE: not requested
CVSS 3.1: 6.5 (Medium) · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected versions: <= 0.17.1
Fixed in: 0.17.2
Vendor advisory: GHSA-4vfc-hxpj-f7x7
Reported: 19 May 2026

Summary

Frigate is a self-hosted NVR with AI object detection. The nginx /api/ location enables proxy_cache with no explicit proxy_cache_key, so nginx uses the default key $scheme$proxy_host$request_uri, which contains neither cookie nor Authorization header. The auth_request check accepts admin and viewer tokens alike as authenticated, and on a cache HIT nginx serves the cached body without running the FastAPI role check. As a result any viewer user reads the admin-only response within the 5-second window after an admin call. turingpoint verified the flow and reported it; the vendor fixed it in 0.17.2.

Root cause

The nginx /api/ location enables proxy_cache api_cache with proxy_cache_valid 200 5s and no explicit proxy_cache_key (docker/main/rootfs/usr/local/nginx/conf/nginx.conf). nginx therefore sets the cache key to the default $scheme$proxy_host$request_uri, which contains neither cookie nor Authorization header. auth_request /auth validates only the JWT signature and expiry and accepts admin and viewer tokens as authenticated. On a cache HIT nginx serves the body straight from /dev/shm/nginx_cache without calling FastAPI, so the route dependency dependencies=[Depends(require_role(["admin"]))] is skipped. This is distinct from GHSA-26g3-f8g8-9ffh, which secured /api/config/raw at the FastAPI level but did not change the nginx cache key.

Proof of Concept

# An admin polls an admin-only route and thereby populates the cache:
GET /api/config/raw_paths        (admin JWT)

# within 5 seconds, same path, with a viewer JWT:
GET /api/config/raw_paths        (viewer JWT)

-> nginx returns the cached admin body, including RTSP camera URLs with
   cleartext credentials.

The second call hits the same cache key and is served from cache before FastAPI runs its role check; the viewer token counts as validly authenticated to the auth_request stage.

Impact

  • Any authenticated viewer reads admin-only JSON responses within the 5-second window.
  • Exposes RTSP camera URLs with cleartext credentials (/api/config/raw_paths).
  • Exposes the full user and role list (/api/users).

References

Is Something Like This in Your Software?

Our team found this vulnerability in the course of its work. Have your applications tested by the same specialists, with a penetration test from turingpoint.

Request a Pentest