From 8aa1e1b3738c4f4b574def5e68d9eb5ef9ede2e2 Mon Sep 17 00:00:00 2001
From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
Date: Fri, 1 May 2026 10:04:58 -0500
Subject: [PATCH] restrict config vars for viewer users

---
 frigate/api/app.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/frigate/api/app.py b/frigate/api/app.py
index 57d1f0a79..0f6ff2b6c 100644
--- a/frigate/api/app.py
+++ b/frigate/api/app.py
@@ -146,8 +146,13 @@ def config(request: Request):
         for name, detector in config_obj.detectors.items()
     }
 
-    # remove the mqtt password
+    # remove environment_vars for non-admin users
+    if request.headers.get("remote-role") != "admin":
+        config.pop("environment_vars", None)
+
+    # remove mqtt credentials
     config["mqtt"].pop("password", None)
+    config["mqtt"].pop("user", None)
 
     # remove the proxy secret
     config["proxy"].pop("auth_secret", None)