Platform
python
Component
recipes
Fixed in
2.6.1
CVE-2026-33152 describes an authentication bypass vulnerability affecting Tandoor Recipes versions prior to 2.6.0. This flaw allows attackers to bypass rate limiting on API endpoints, enabling unauthorized access and potential data compromise. The vulnerability stems from the application's configuration of Django REST Framework with BasicAuthentication and insufficient rate limiting controls. Upgrade to version 2.6.0 to mitigate this risk.
The primary impact of CVE-2026-33152 is the potential for unauthorized access to sensitive data and functionality within Tandoor Recipes. Because the authentication bypass affects API endpoints, an attacker can directly interact with the application's backend without proper authentication. This could lead to data breaches, modification of recipes and meal plans, or even complete control over the application's data. The lack of rate limiting exacerbates the risk, allowing for rapid and repeated attempts to bypass authentication. This vulnerability shares similarities with other Basic Authentication bypasses where inadequate rate limiting controls are in place, allowing attackers to brute-force credentials or exploit misconfigurations.
CVE-2026-33152 was publicly disclosed on 2026-03-26. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. The EPSS score is likely to be medium to high due to the ease of exploitation and the potential impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33152 is to upgrade Tandoor Recipes to version 2.6.0 or later, which includes the fix for this authentication bypass. If upgrading immediately is not feasible, consider implementing temporary workarounds. One approach is to configure a Web Application Firewall (WAF) or reverse proxy to enforce rate limiting on API endpoints that accept Basic Authentication. Specifically, limit the number of requests per IP address within a short timeframe. Additionally, review and strengthen authentication configurations, ensuring that all API endpoints are properly protected and rate-limited. After upgrading, verify the fix by attempting to access API endpoints with invalid Basic Authentication credentials and confirming that rate limiting is enforced.
Update Tandoor Recipes to version 2.6.0 or higher. This version fixes the brute-force vulnerability by implementing rate limiting on basic authentication. The update will prevent attackers from guessing passwords at high speed.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33152 is a critical vulnerability in Tandoor Recipes versions before 2.6.0 that allows attackers to bypass authentication rate limits on API endpoints, potentially gaining unauthorized access.
You are affected if you are using Tandoor Recipes version 2.6.0 or earlier. Upgrade to version 2.6.0 to address this vulnerability.
The recommended fix is to upgrade Tandoor Recipes to version 2.6.0 or later. As a temporary workaround, configure a WAF to enforce rate limiting on API endpoints.
While no active exploitation has been confirmed, the ease of exploitation suggests it is a high-priority vulnerability to address.
Refer to the Tandoor Recipes official security advisory for detailed information and updates regarding CVE-2026-33152.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.