CVE-2026-33153

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOIN relationships, WHERE conditions (revealing access control logic), and multi-tenant space IDs. This parameter works even when Django's `DEBUG=False` (production mode) and is accessible to any authenticated user regardless of their privilege level. This allows a low-privilege attacker to map the entire database schema and reverse-engineer the authorization model. Version 2.6.0 patches the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0	Release Notes
https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*

History

30 Mar 2026, 19:16

Type	Values Removed	Values Added
CPE		cpe:2.3:a:tandoor:recipes::::::::
First Time		Tandoor Tandoor recipes
References	~~() https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0 -~~	() https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0 - Release Notes
References	~~() https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf -~~	() https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

30 Mar 2026, 13:26

Type	Values Removed	Values Added
Summary		(es) Tandoor Recipes es una aplicación para gestionar recetas, planificar comidas y crear listas de compras. En versiones anteriores a la 2.6.0, el endpoint de la API de Recetas expone un parámetro de consulta oculto `?debug=true` que devuelve la consulta SQL sin procesar completa que se está ejecutando, incluyendo todos los nombres de tablas, nombres de columnas, relaciones JOIN, condiciones WHERE (revelando la lógica de control de acceso) y los ID de espacio multi-inquilino. Este parámetro funciona incluso cuando `DEBUG=False` de Django (modo de producción) y es accesible para cualquier usuario autenticado independientemente de su nivel de privilegio. Esto permite a un atacante de bajo privilegio mapear todo el esquema de la base de datos y realizar ingeniería inversa del modelo de autorización. La versión 2.6.0 corrige el problema.

26 Mar 2026, 19:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-26 19:17

Updated : 2026-03-30 19:16

NVD link : CVE-2026-33153

Mitre link : CVE-2026-33153

CVE.ORG link : CVE-2026-33153

JSON object : View

Products Affected

tandoor

recipes

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

6.5 /10