<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>CVE-2026-33152 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33152/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 15:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33152/feed.xml" rel="self" type="application/rss+xml"/><item><title>Tandoor Recipes Unauthenticated Password Guessing Vulnerability (CVE-2026-33152)</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-tandoor-password-guessing/</link><pubDate>Tue, 09 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-tandoor-password-guessing/</guid><description>Tandoor Recipes before 2.6.0 allows unauthenticated attackers to perform high-speed password guessing attacks against any known username due to improper rate limiting on API endpoints using BasicAuthentication.</description><content:encoded><![CDATA[<p>Tandoor Recipes, a recipe management and meal planning application, is susceptible to a critical vulnerability (CVE-2026-33152) in versions prior to 2.6.0. The application's configuration of Django REST Framework with BasicAuthentication as a default authentication backend, combined with insufficient rate limiting, creates a significant security risk. The AllAuth rate limiting (ACCOUNT_RATE_LIMITS: login: 5/m/ip) is only applied to the HTML login endpoint (/accounts/login/), leaving API endpoints unprotected. This allows attackers to bypass rate limiting and account lockout mechanisms by sending authentication requests directly to the API. This vulnerability enables an attacker to perform unlimited password attempts against valid usernames, potentially gaining unauthorized access to user accounts and sensitive data. Tandoor Recipes version 2.6.0 addresses this vulnerability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a Tandoor Recipes instance running a version prior to 2.6.0.</li>
<li>The attacker discovers valid usernames through OSINT techniques or by leveraging other vulnerabilities (not described in source).</li>
<li>The attacker crafts HTTP requests with <code>Authorization: Basic</code> headers targeting an API endpoint that accepts authenticated requests.</li>
<li>The attacker sends multiple requests with different password guesses using a scripting language like Python and the <code>requests</code> library.</li>
<li>The Tandoor Recipes server authenticates the request if the credentials match a valid user.</li>
<li>If successful, the attacker gains access to the targeted user's account.</li>
<li>The attacker accesses, modifies, or exfiltrates recipes, meal plans, shopping lists, and potentially other user data.</li>
<li>The attacker pivots to other user accounts if sufficient privileges exist, further expanding their access and potential damage.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33152 allows attackers to compromise user accounts on vulnerable Tandoor Recipes instances. This can lead to unauthorized access to sensitive user data, including personal recipes, meal plans, and shopping lists. Depending on the application's deployment and user permissions, attackers may also be able to modify data, add malicious content, or pivot to other systems. The lack of rate limiting makes password guessing attacks highly effective, increasing the risk of widespread account compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Tandoor Recipes instances to version 2.6.0 or later to patch CVE-2026-33152.</li>
<li>Implement rate limiting on API endpoints that accept BasicAuthentication, independent of AllAuth's HTML login rate limiting.</li>
<li>Deploy the Sigma rule <code>Detect Tandoor Recipes Basic Authentication Brute Force</code> to identify potential password guessing attempts against Tandoor Recipes instances in your environment.</li>
<li>Monitor web server logs for excessive <code>Authorization: Basic</code> header usage targeting Tandoor Recipes API endpoints.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>CVE-2026-33152</category><category>tandoor-recipes</category><category>password-guessing</category><category>credential-access</category></item></channel></rss>