CVE-2026-25643

CVE-2026-25643 is a critical remote command execution (RCE) vulnerability affecting Frigate, an open-source network video recorder (NVR) with realtime local object detection for IP cameras, in versions prior to 0.16.4. The issue resides in the Frigate integration with go2rtc, where the application fails to sanitize user input within the video stream configuration file (config.yaml). This allows attackers to inject arbitrary system commands using the exec: directive, which the go2rtc service then executes without restrictions. The vulnerability is associated with CWEs-78 (OS Command Injection), CWE-250 (Execution with Unnecessary Privileges), CWE-269 (Improper Privilege Management), and CWE-668 (Excessive Exposure of Sensitive Information to an Unauthorized Process), and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Exploitation requires high privileges, specifically an administrator account, though it becomes accessible to unauthenticated remote attackers if the Frigate installation is exposed to the open internet without authentication controls. Successful exploitation grants full administrative control over the system, enabling complete confidentiality, integrity, and availability impacts through arbitrary command execution on the host.

The vulnerability has been addressed in Frigate version 0.16.4, as detailed in the official release notes and GitHub security advisory GHSA-4c97-5jmr-8f6x. Security practitioners should immediately upgrade to 0.16.4 or later, ensure Frigate instances are not exposed to the public internet without authentication, and review config.yaml files for any malicious exec: directives.