From 082f025509724042989d7cc613033111abdf3ea7 Mon Sep 17 00:00:00 2001 From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com> Date: Tue, 31 Mar 2026 12:53:29 -0500 Subject: [PATCH] enforce camera access on VLM monitor endpoint POST /vlm/monitor allowed any authenticated user to start VLM monitoring on any camera without checking camera access. A viewer restricted to specific cameras could monitor cameras they should not have access to. --- frigate/api/chat.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/frigate/api/chat.py b/frigate/api/chat.py index 136c425f25..c3ee7a77e3 100644 --- a/frigate/api/chat.py +++ b/frigate/api/chat.py @@ -15,6 +15,7 @@ from pydantic import BaseModel from frigate.api.auth import ( allow_any_authenticated, get_allowed_cameras_for_filter, + require_camera_access, ) from frigate.api.defs.query.events_query_parameters import EventsQueryParams from frigate.api.defs.request.chat_body import ChatCompletionRequest @@ -1156,6 +1157,8 @@ async def start_vlm_monitor( status_code=404, ) + await require_camera_access(body.camera, request=request) + vision_client = genai_manager.vision_client or genai_manager.tool_client if vision_client is None: return JSONResponse(