spupuz/VibeNVR

v1.20.3 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3mo Media Servers

✓ No known CVEs patched

This release patches 1 known CVE

Topics

ffmpeg lightweight local-storage nvr opensource privacy

+1 more

video-surveillance

Affected surfaces

auth

Summary

AI summary

Fixed persistent 401 Unauthorized in Live View and improved authentication security.

Full changelog

Full Changelog: https://github.com/spupuz/VibeNVR/compare/v1.20.2...v1.20.3

Live View: persistent 401 Unauthorized on HTTP with COOKIE_SECURE=false — definitively fixed
Frame polling now uses an Authorization: Bearer header (in-memory token) instead of the media_token cookie. Works reliably on HTTP, HTTPS, incognito mode, and all configurations.

Authorization: Bearer header is more resistant to CSRF than cookie-based auth
The token is never exposed in the URL or server access logs
No security regression for HTTPS installations behind a reverse proxy

| File | Change |
|------|--------|
| frontend/src/pages/LiveView.jsx | Frame requests now use Authorization: Bearer header |
| backend/routers/cameras.py | /frame and /stream endpoints accept Bearer header (priority over cookie) |
| frontend/package.json | 1.20.2 → 1.20.3 |
| backend/package.json | 1.20.2 → 1.20.3 |

docker compose -f docker-compose.prod.yml pull
docker compose -f docker-compose.prod.yml down
docker compose -f docker-compose.prod.yml up -d

No .env changes required. No hard refresh needed — the new JS bundle hash is detected automatically by the browser.

Authentication in Live View switched to `Authorization: Bearer` header, making it more resistant to CSRF and preventing token exposure in URLs or server logs.

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Track spupuz/VibeNVR

Get notified when new releases ship.

About spupuz/VibeNVR