CVE-2026-33153

MEDIUM

6.5

Descripcion

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOIN relationships, WHERE conditions (revealing access control logic), and multi-tenant space IDs. This parameter works even when Django's `DEBUG=False` (production mode) and is accessible to any authenticated user regardless of their privilege level. This allows a low-privilege attacker to map the entire database schema and reverse-engineer the authorization model. Version 2.6.0 patches the issue.

Detalles CVE

Puntuacion CVSS v3.16.5

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosLOW

Interaccion usuarioNONE

Publicado3/26/2026

Ultima modificacion3/30/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

tandoor:recipes

Debilidades (CWE)

CWE-89

Referencias

https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0(security-advisories@github.com)

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf(security-advisories@github.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.