{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/tandoor-recipes/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tandoor Recipes"],"_cs_severities":["high"],"_cs_tags":["host-header-injection","cve-2026-33149","web-application"],"_cs_type":"advisory","_cs_vendors":["Tandoor Recipes"],"content_html":"\u003cp\u003eTandoor Recipes, a recipe management and meal planning application, is vulnerable to a host header injection (CVE-2026-33149) in versions up to and including 2.5.3. The vulnerability stems from the application setting \u003ccode\u003eALLOWED_HOSTS = '*'\u003c/code\u003e by default, which disables Host header validation in the Django framework. This lack of validation allows attackers to craft malicious HTTP requests with arbitrary Host headers. The application uses \u003ccode\u003erequest.build_absolute_uri()\u003c/code\u003e to generate absolute URLs in various contexts, including invite link emails, API pagination, and OpenAPI schema generation. This vulnerability allows an attacker to manipulate these generated URLs. The most significant risk is invite link poisoning, where an attacker can make invite links in emails redirect to an attacker-controlled server, potentially compromising user accounts. No patched version is available as of the source publication date.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Tandoor Recipes instance running a vulnerable version (\u0026lt;= 2.5.3).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request to the Tandoor Recipes instance with a malicious \u003ccode\u003eHost\u003c/code\u003e header (e.g., \u003ccode\u003eHost: attacker.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAn administrator of the Tandoor Recipes instance generates an invitation link for a new user.\u003c/li\u003e\n\u003cli\u003eThe application uses \u003ccode\u003erequest.build_absolute_uri()\u003c/code\u003e to construct the invitation link, incorporating the attacker-controlled \u003ccode\u003eHost\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe invitation email is sent to the intended user, containing the malicious invitation link pointing to \u003ccode\u003eattacker.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user clicks the malicious link in the email, unknowingly sending the invite token to the attacker's server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen invite token to create an account on the legitimate Tandoor Recipes instance.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the Tandoor Recipes instance, potentially escalating privileges depending on the application's configuration and the compromised user's role.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to invite link poisoning, allowing attackers to create unauthorized accounts on the Tandoor Recipes instance. The number of potential victims is directly proportional to the number of Tandoor Recipes instances deployed with the vulnerable configuration and the number of users invited through the application. The impact includes unauthorized access to user data, potential modification or deletion of recipes, and the possibility of further lateral movement within the affected environment if the compromised account has elevated privileges. The CVSS v3.1 base score for this vulnerability is 8.1, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests with unusual or unexpected \u003ccode\u003eHost\u003c/code\u003e headers to detect potential exploitation attempts. Analyze webserver logs for abnormalities in \u003ccode\u003ecs-uri-query\u003c/code\u003e for invite URLs (related to invite link poisoning).\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to validate the \u003ccode\u003eHost\u003c/code\u003e header against a whitelist of expected values.\u003c/li\u003e\n\u003cli\u003eApply available patches as soon as they are released for Tandoor Recipes to remediate CVE-2026-33149.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipes-host-header-injection/","summary":"Tandoor Recipes versions up to 2.5.3 use a wildcard for ALLOWED_HOSTS, making Django accept any HTTP Host header without validation, which allows an attacker to manipulate server-generated absolute URLs and potentially compromise user accounts through invite link poisoning.","title":"Tandoor Recipes Host Header Injection Vulnerability (CVE-2026-33149)","url":"https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipes-host-header-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-35045"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tandoor Recipes"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","web-application","tandoor-recipes"],"_cs_type":"advisory","_cs_vendors":["Tandoor Recipes"],"content_html":"\u003cp\u003eTandoor Recipes, an application for managing recipes, planning meals, and building shopping lists, contains an authentication bypass vulnerability. Specifically, versions prior to 2.6.4 are susceptible to CVE-2026-35045. This flaw enables any authenticated user within a shared Space to modify any recipe within that Space, regardless of the recipe's privacy settings. The vulnerability stems from a lack of object-level authorization checks on the \u003ccode\u003e/api/recipe/batch_update/\u003c/code\u003e endpoint, contrasting with the more restrictive single-recipe endpoints (PUT \u003ccode\u003e/api/recipe/{id}/\u003c/code\u003e). This allows attackers to force the exposure of private recipes, grant themselves unauthorized access, and tamper with recipe metadata. Defenders should prioritize upgrading Tandoor Recipes to version 2.6.4 to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to a Tandoor Recipes instance.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a Space containing recipes they wish to modify, including private recipes.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ePUT\u003c/code\u003e request to the \u003ccode\u003e/api/recipe/batch_update/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a payload designed to modify the target recipe (e.g., changing the recipe name, ingredients, or privacy settings).\u003c/li\u003e\n\u003cli\u003eThe application, lacking proper authorization checks on this endpoint, processes the request.\u003c/li\u003e\n\u003cli\u003eThe target recipe is modified according to the attacker's specifications, bypassing intended privacy restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker can then exfiltrate or further manipulate the recipe data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35045 can lead to the unauthorized disclosure of private recipes, potentially containing sensitive personal information or proprietary culinary techniques. It can also facilitate the tampering of recipe data, leading to incorrect or malicious instructions. This vulnerability affects all Tandoor Recipes instances running versions prior to 2.6.4 and accessible to authenticated users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Tandoor Recipes to version 2.6.4 or later to patch CVE-2026-35045.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Tandoor Recipe Batch Update\u003c/code\u003e to monitor for suspicious requests to the \u003ccode\u003e/api/recipe/batch_update/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview webserver access logs for unusual PUT requests targeting the \u003ccode\u003e/api/recipe/batch_update/\u003c/code\u003e endpoint after authentication, to identify possible exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T12:00:00Z","date_published":"2024-01-27T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipe-auth-bypass/","summary":"Tandoor Recipes before version 2.6.4 allows authenticated users within a space to modify any recipe in that space, including private ones, via the PUT /api/recipe/batch_update/ endpoint, bypassing object-level authorization checks and enabling unauthorized access and data tampering.","title":"Tandoor Recipes Authentication Bypass Vulnerability (CVE-2026-35045)","url":"https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipe-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tandoor Recipes"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-33152","tandoor-recipes","password-guessing","credential-access"],"_cs_type":"advisory","_cs_vendors":["Tandoor Recipes"],"content_html":"\u003cp\u003eTandoor Recipes, a recipe management and meal planning application, is susceptible to a critical vulnerability (CVE-2026-33152) in versions prior to 2.6.0. The application's configuration of Django REST Framework with BasicAuthentication as a default authentication backend, combined with insufficient rate limiting, creates a significant security risk. The AllAuth rate limiting (ACCOUNT_RATE_LIMITS: login: 5/m/ip) is only applied to the HTML login endpoint (/accounts/login/), leaving API endpoints unprotected. This allows attackers to bypass rate limiting and account lockout mechanisms by sending authentication requests directly to the API. This vulnerability enables an attacker to perform unlimited password attempts against valid usernames, potentially gaining unauthorized access to user accounts and sensitive data. Tandoor Recipes version 2.6.0 addresses this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Tandoor Recipes instance running a version prior to 2.6.0.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers valid usernames through OSINT techniques or by leveraging other vulnerabilities (not described in source).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts HTTP requests with \u003ccode\u003eAuthorization: Basic\u003c/code\u003e headers targeting an API endpoint that accepts authenticated requests.\u003c/li\u003e\n\u003cli\u003eThe attacker sends multiple requests with different password guesses using a scripting language like Python and the \u003ccode\u003erequests\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe Tandoor Recipes server authenticates the request if the credentials match a valid user.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains access to the targeted user's account.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses, modifies, or exfiltrates recipes, meal plans, shopping lists, and potentially other user data.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other user accounts if sufficient privileges exist, further expanding their access and potential damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33152 allows attackers to compromise user accounts on vulnerable Tandoor Recipes instances. This can lead to unauthorized access to sensitive user data, including personal recipes, meal plans, and shopping lists. Depending on the application's deployment and user permissions, attackers may also be able to modify data, add malicious content, or pivot to other systems. The lack of rate limiting makes password guessing attacks highly effective, increasing the risk of widespread account compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Tandoor Recipes instances to version 2.6.0 or later to patch CVE-2026-33152.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on API endpoints that accept BasicAuthentication, independent of AllAuth's HTML login rate limiting.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Tandoor Recipes Basic Authentication Brute Force\u003c/code\u003e to identify potential password guessing attempts against Tandoor Recipes instances in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for excessive \u003ccode\u003eAuthorization: Basic\u003c/code\u003e header usage targeting Tandoor Recipes API endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-tandoor-password-guessing/","summary":"Tandoor Recipes before 2.6.0 allows unauthenticated attackers to perform high-speed password guessing attacks against any known username due to improper rate limiting on API endpoints using BasicAuthentication.","title":"Tandoor Recipes Unauthenticated Password Guessing Vulnerability (CVE-2026-33152)","url":"https://feed.craftedsignal.io/briefs/2024-01-09-tandoor-password-guessing/"}],"language":"en","title":"CraftedSignal Threat Feed - Tandoor Recipes","version":"https://jsonfeed.org/version/1.1"}