{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/password-guessing/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tandoor Recipes"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-33152","tandoor-recipes","password-guessing","credential-access"],"_cs_type":"advisory","_cs_vendors":["Tandoor Recipes"],"content_html":"\u003cp\u003eTandoor Recipes, a recipe management and meal planning application, is susceptible to a critical vulnerability (CVE-2026-33152) in versions prior to 2.6.0. The application's configuration of Django REST Framework with BasicAuthentication as a default authentication backend, combined with insufficient rate limiting, creates a significant security risk. The AllAuth rate limiting (ACCOUNT_RATE_LIMITS: login: 5/m/ip) is only applied to the HTML login endpoint (/accounts/login/), leaving API endpoints unprotected. This allows attackers to bypass rate limiting and account lockout mechanisms by sending authentication requests directly to the API. This vulnerability enables an attacker to perform unlimited password attempts against valid usernames, potentially gaining unauthorized access to user accounts and sensitive data. Tandoor Recipes version 2.6.0 addresses this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Tandoor Recipes instance running a version prior to 2.6.0.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers valid usernames through OSINT techniques or by leveraging other vulnerabilities (not described in source).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts HTTP requests with \u003ccode\u003eAuthorization: Basic\u003c/code\u003e headers targeting an API endpoint that accepts authenticated requests.\u003c/li\u003e\n\u003cli\u003eThe attacker sends multiple requests with different password guesses using a scripting language like Python and the \u003ccode\u003erequests\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe Tandoor Recipes server authenticates the request if the credentials match a valid user.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains access to the targeted user's account.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses, modifies, or exfiltrates recipes, meal plans, shopping lists, and potentially other user data.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other user accounts if sufficient privileges exist, further expanding their access and potential damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33152 allows attackers to compromise user accounts on vulnerable Tandoor Recipes instances. This can lead to unauthorized access to sensitive user data, including personal recipes, meal plans, and shopping lists. Depending on the application's deployment and user permissions, attackers may also be able to modify data, add malicious content, or pivot to other systems. The lack of rate limiting makes password guessing attacks highly effective, increasing the risk of widespread account compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Tandoor Recipes instances to version 2.6.0 or later to patch CVE-2026-33152.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on API endpoints that accept BasicAuthentication, independent of AllAuth's HTML login rate limiting.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Tandoor Recipes Basic Authentication Brute Force\u003c/code\u003e to identify potential password guessing attempts against Tandoor Recipes instances in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for excessive \u003ccode\u003eAuthorization: Basic\u003c/code\u003e header usage targeting Tandoor Recipes API endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-tandoor-password-guessing/","summary":"Tandoor Recipes before 2.6.0 allows unauthenticated attackers to perform high-speed password guessing attacks against any known username due to improper rate limiting on API endpoints using BasicAuthentication.","title":"Tandoor Recipes Unauthenticated Password Guessing Vulnerability (CVE-2026-33152)","url":"https://feed.craftedsignal.io/briefs/2024-01-09-tandoor-password-guessing/"}],"language":"en","title":"CraftedSignal Threat Feed - Password-Guessing","version":"https://jsonfeed.org/version/1.1"}