<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-33149 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33149/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33149/feed.xml" rel="self" type="application/rss+xml"/><item><title>Tandoor Recipes Host Header Injection Vulnerability (CVE-2026-33149)</title><link>https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipes-host-header-injection/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipes-host-header-injection/</guid><description>Tandoor Recipes versions up to 2.5.3 use a wildcard for ALLOWED_HOSTS, making Django accept any HTTP Host header without validation, which allows an attacker to manipulate server-generated absolute URLs and potentially compromise user accounts through invite link poisoning.</description><content:encoded><![CDATA[<p>Tandoor Recipes, a recipe management and meal planning application, is vulnerable to a host header injection (CVE-2026-33149) in versions up to and including 2.5.3. The vulnerability stems from the application setting <code>ALLOWED_HOSTS = '*'</code> by default, which disables Host header validation in the Django framework. This lack of validation allows attackers to craft malicious HTTP requests with arbitrary Host headers. The application uses <code>request.build_absolute_uri()</code> to generate absolute URLs in various contexts, including invite link emails, API pagination, and OpenAPI schema generation. This vulnerability allows an attacker to manipulate these generated URLs. The most significant risk is invite link poisoning, where an attacker can make invite links in emails redirect to an attacker-controlled server, potentially compromising user accounts. No patched version is available as of the source publication date.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a Tandoor Recipes instance running a vulnerable version (&lt;= 2.5.3).</li>
<li>The attacker crafts an HTTP request to the Tandoor Recipes instance with a malicious <code>Host</code> header (e.g., <code>Host: attacker.com</code>).</li>
<li>An administrator of the Tandoor Recipes instance generates an invitation link for a new user.</li>
<li>The application uses <code>request.build_absolute_uri()</code> to construct the invitation link, incorporating the attacker-controlled <code>Host</code> header.</li>
<li>The invitation email is sent to the intended user, containing the malicious invitation link pointing to <code>attacker.com</code>.</li>
<li>The user clicks the malicious link in the email, unknowingly sending the invite token to the attacker's server.</li>
<li>The attacker uses the stolen invite token to create an account on the legitimate Tandoor Recipes instance.</li>
<li>The attacker gains unauthorized access to the Tandoor Recipes instance, potentially escalating privileges depending on the application's configuration and the compromised user's role.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability can lead to invite link poisoning, allowing attackers to create unauthorized accounts on the Tandoor Recipes instance. The number of potential victims is directly proportional to the number of Tandoor Recipes instances deployed with the vulnerable configuration and the number of users invited through the application. The impact includes unauthorized access to user data, potential modification or deletion of recipes, and the possibility of further lateral movement within the affected environment if the compromised account has elevated privileges. The CVSS v3.1 base score for this vulnerability is 8.1, indicating a high severity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor web server logs for suspicious HTTP requests with unusual or unexpected <code>Host</code> headers to detect potential exploitation attempts. Analyze webserver logs for abnormalities in <code>cs-uri-query</code> for invite URLs (related to invite link poisoning).</li>
<li>Implement a web application firewall (WAF) rule to validate the <code>Host</code> header against a whitelist of expected values.</li>
<li>Apply available patches as soon as they are released for Tandoor Recipes to remediate CVE-2026-33149.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>host-header-injection</category><category>cve-2026-33149</category><category>web-application</category></item></channel></rss>