CVE-2026-33152

{"id": "CVE-2026-33152", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-26T19:17:03.147", "references": [{"url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-307"}]}], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue."}, {"lang": "es", "value": "Tandoor Recipes es una aplicaci\u00f3n para gestionar recetas, planificar comidas y crear listas de compras. En versiones anteriores a la 2.6.0, Tandoor Recipes configura Django REST Framework con BasicAuthentication como uno de los backends de autenticaci\u00f3n predeterminados. La configuraci\u00f3n de limitaci\u00f3n de tasa de AllAuth (ACCOUNT_RATE_LIMITS: login: 5/m/ip) solo se aplica al endpoint de inicio de sesi\u00f3n basado en HTML en /accounts/login/. Cualquier endpoint de API que acepte solicitudes autenticadas puede ser objetivo a trav\u00e9s de encabezados Authorization: Basic sin limitaci\u00f3n de tasa, sin bloqueo de cuenta y con intentos ilimitados. Un atacante puede realizar adivinaci\u00f3n de contrase\u00f1as a alta velocidad contra cualquier nombre de usuario conocido. La versi\u00f3n 2.6.0 corrige el problema."}], "lastModified": "2026-03-30T19:18:18.253", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6EFEDF7D-1D00-4901-A064-ECC168038F6C", "versionEndExcluding": "2.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}