From 335992155217727a8fb400545e8cf583d261480f Mon Sep 17 00:00:00 2001 From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com> Date: Wed, 18 Mar 2026 12:02:49 -0500 Subject: [PATCH] Restrict /api/config/raw to admin role to prevent credential leak to non-admin users --- frigate/api/app.py | 2 +- frigate/api/auth.py | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/frigate/api/app.py b/frigate/api/app.py index 440adfce4f..d1120afeec 100644 --- a/frigate/api/app.py +++ b/frigate/api/app.py @@ -218,7 +218,7 @@ def config_raw_paths(request: Request): return JSONResponse(content=raw_paths) -@router.get("/config/raw", dependencies=[Depends(allow_any_authenticated())]) +@router.get("/config/raw", dependencies=[Depends(require_role(["admin"]))]) def config_raw(): config_file = find_config_file() diff --git a/frigate/api/auth.py b/frigate/api/auth.py index d774b36978..79cd21ad15 100644 --- a/frigate/api/auth.py +++ b/frigate/api/auth.py @@ -67,7 +67,6 @@ def require_admin_by_default(): "/stats", "/stats/history", "/config", - "/config/raw", "/vainfo", "/nvinfo", "/labels",