Vulnerability Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tandoor | Recipes | < 2.6.0 |
Related Weaknesses (CWE)
References
- https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0Release Notes
- https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r52ExploitVendor Advisory
FAQ
What is CVE-2026-33152?
CVE-2026-33152 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthenticati...
How severe is CVE-2026-33152?
CVE-2026-33152 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-33152?
Check the references section above for vendor advisories and patch information. Affected products include: Tandoor Recipes.