CVE-2026-33153

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOIN relationships, WHERE conditions (revealing access control logic), and multi-tenant space IDs. This parameter works even when Django's `DEBUG=False` (production mode) and is accessible to any authenticated user regardless of their privilege level. This allows a low-privilege attacker to map the entire database schema and reverse-engineer the authorization model. Version 2.6.0 patches the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0	Release Notes
https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*

History

30 Mar 2026, 19:16

Type	Values Removed	Values Added
First Time		Tandoor recipes Tandoor
References	~~() https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0 -~~	() https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0 - Release Notes
References	~~() https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf -~~	() https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CPE		cpe:2.3:a:tandoor:recipes::::::::

Information

Published : 2026-03-26 19:17

Updated : 2026-03-30 19:16

NVD link : CVE-2026-33153

Mitre link : CVE-2026-33153

CVE.ORG link : CVE-2026-33153

JSON object : View

Products Affected

tandoor

recipes

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2026-33153", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-26T19:17:03.313", "references": [{"url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOIN relationships, WHERE conditions (revealing access control logic), and multi-tenant space IDs. This parameter works even when Django's `DEBUG=False` (production mode) and is accessible to any authenticated user regardless of their privilege level. This allows a low-privilege attacker to map the entire database schema and reverse-engineer the authorization model. Version 2.6.0 patches the issue."}, {"lang": "es", "value": "Tandoor Recipes es una aplicaci\u00f3n para gestionar recetas, planificar comidas y crear listas de compras. En versiones anteriores a la 2.6.0, el endpoint de la API de Recetas expone un par\u00e1metro de consulta oculto `?debug=true` que devuelve la consulta SQL sin procesar completa que se est\u00e1 ejecutando, incluyendo todos los nombres de tablas, nombres de columnas, relaciones JOIN, condiciones WHERE (revelando la l\u00f3gica de control de acceso) y los ID de espacio multi-inquilino. Este par\u00e1metro funciona incluso cuando `DEBUG=False` de Django (modo de producci\u00f3n) y es accesible para cualquier usuario autenticado independientemente de su nivel de privilegio. Esto permite a un atacante de bajo privilegio mapear todo el esquema de la base de datos y realizar ingenier\u00eda inversa del modelo de autorizaci\u00f3n. La versi\u00f3n 2.6.0 corrige el problema."}], "lastModified": "2026-03-30T19:16:16.650", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6EFEDF7D-1D00-4901-A064-ECC168038F6C", "versionEndExcluding": "2.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}