From e78da2758d2cf31bde89f81a4b09e7ad531d8f07 Mon Sep 17 00:00:00 2001
From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
Date: Wed, 18 Mar 2026 17:14:59 -0500
Subject: [PATCH] Restrict /api/config/raw to admin role to prevent credential
 leak to non-admin users (#22523)

---
 frigate/api/app.py  | 2 +-
 frigate/api/auth.py | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/frigate/api/app.py b/frigate/api/app.py
index 440adfce4..d1120afee 100644
--- a/frigate/api/app.py
+++ b/frigate/api/app.py
@@ -218,7 +218,7 @@ def config_raw_paths(request: Request):
     return JSONResponse(content=raw_paths)
 
 
-@router.get("/config/raw", dependencies=[Depends(allow_any_authenticated())])
+@router.get("/config/raw", dependencies=[Depends(require_role(["admin"]))])
 def config_raw():
     config_file = find_config_file()
 
diff --git a/frigate/api/auth.py b/frigate/api/auth.py
index d774b3697..79cd21ad1 100644
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@@ -67,7 +67,6 @@ def require_admin_by_default():
         "/stats",
         "/stats/history",
         "/config",
-        "/config/raw",
         "/vainfo",
         "/nvinfo",
         "/labels",