From ea217bdbacb615cf246aa67a9e0cda93004e4488 Mon Sep 17 00:00:00 2001
From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
Date: Wed, 26 Nov 2025 07:12:00 -0600
Subject: [PATCH] explicitly prevent deletion of admin user

---
 frigate/api/auth.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/frigate/api/auth.py b/frigate/api/auth.py
index 3210ca1f3..2ee43dd29 100644
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@@ -579,7 +579,13 @@ def create_user(
 
 
 @router.delete("/users/{username}", dependencies=[Depends(require_role(["admin"]))])
-def delete_user(username: str):
+def delete_user(request: Request, username: str):
+    # Prevent deletion of the built-in admin user
+    if username == "admin":
+        return JSONResponse(
+            content={"message": "Cannot delete admin user"}, status_code=403
+        )
+
     User.delete_by_id(username)
     return JSONResponse(content={"success": True})