<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Tandoor Recipes - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/tandoor-recipes/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 29 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/tandoor-recipes/feed.xml" rel="self" type="application/rss+xml"/><item><title>Tandoor Recipes Host Header Injection Vulnerability (CVE-2026-33149)</title><link>https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipes-host-header-injection/</link><pubDate>Mon, 29 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipes-host-header-injection/</guid><description>Tandoor Recipes versions up to 2.5.3 use a wildcard for ALLOWED_HOSTS, making Django accept any HTTP Host header without validation, which allows an attacker to manipulate server-generated absolute URLs and potentially compromise user accounts through invite link poisoning.</description><content:encoded><![CDATA[<p>Tandoor Recipes, a recipe management and meal planning application, is vulnerable to a host header injection (CVE-2026-33149) in versions up to and including 2.5.3. The vulnerability stems from the application setting <code>ALLOWED_HOSTS = '*'</code> by default, which disables Host header validation in the Django framework. This lack of validation allows attackers to craft malicious HTTP requests with arbitrary Host headers. The application uses <code>request.build_absolute_uri()</code> to generate absolute URLs in various contexts, including invite link emails, API pagination, and OpenAPI schema generation. This vulnerability allows an attacker to manipulate these generated URLs. The most significant risk is invite link poisoning, where an attacker can make invite links in emails redirect to an attacker-controlled server, potentially compromising user accounts. No patched version is available as of the source publication date.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a Tandoor Recipes instance running a vulnerable version (&lt;= 2.5.3).</li>
<li>The attacker crafts an HTTP request to the Tandoor Recipes instance with a malicious <code>Host</code> header (e.g., <code>Host: attacker.com</code>).</li>
<li>An administrator of the Tandoor Recipes instance generates an invitation link for a new user.</li>
<li>The application uses <code>request.build_absolute_uri()</code> to construct the invitation link, incorporating the attacker-controlled <code>Host</code> header.</li>
<li>The invitation email is sent to the intended user, containing the malicious invitation link pointing to <code>attacker.com</code>.</li>
<li>The user clicks the malicious link in the email, unknowingly sending the invite token to the attacker's server.</li>
<li>The attacker uses the stolen invite token to create an account on the legitimate Tandoor Recipes instance.</li>
<li>The attacker gains unauthorized access to the Tandoor Recipes instance, potentially escalating privileges depending on the application's configuration and the compromised user's role.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability can lead to invite link poisoning, allowing attackers to create unauthorized accounts on the Tandoor Recipes instance. The number of potential victims is directly proportional to the number of Tandoor Recipes instances deployed with the vulnerable configuration and the number of users invited through the application. The impact includes unauthorized access to user data, potential modification or deletion of recipes, and the possibility of further lateral movement within the affected environment if the compromised account has elevated privileges. The CVSS v3.1 base score for this vulnerability is 8.1, indicating a high severity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor web server logs for suspicious HTTP requests with unusual or unexpected <code>Host</code> headers to detect potential exploitation attempts. Analyze webserver logs for abnormalities in <code>cs-uri-query</code> for invite URLs (related to invite link poisoning).</li>
<li>Implement a web application firewall (WAF) rule to validate the <code>Host</code> header against a whitelist of expected values.</li>
<li>Apply available patches as soon as they are released for Tandoor Recipes to remediate CVE-2026-33149.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>host-header-injection</category><category>cve-2026-33149</category><category>web-application</category></item><item><title>Tandoor Recipes Authentication Bypass Vulnerability (CVE-2026-35045)</title><link>https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipe-auth-bypass/</link><pubDate>Sat, 27 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipe-auth-bypass/</guid><description>Tandoor Recipes before version 2.6.4 allows authenticated users within a space to modify any recipe in that space, including private ones, via the PUT /api/recipe/batch_update/ endpoint, bypassing object-level authorization checks and enabling unauthorized access and data tampering.</description><content:encoded><![CDATA[<p>Tandoor Recipes, an application for managing recipes, planning meals, and building shopping lists, contains an authentication bypass vulnerability. Specifically, versions prior to 2.6.4 are susceptible to CVE-2026-35045. This flaw enables any authenticated user within a shared Space to modify any recipe within that Space, regardless of the recipe's privacy settings. The vulnerability stems from a lack of object-level authorization checks on the <code>/api/recipe/batch_update/</code> endpoint, contrasting with the more restrictive single-recipe endpoints (PUT <code>/api/recipe/{id}/</code>). This allows attackers to force the exposure of private recipes, grant themselves unauthorized access, and tamper with recipe metadata. Defenders should prioritize upgrading Tandoor Recipes to version 2.6.4 to remediate this vulnerability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to a Tandoor Recipes instance.</li>
<li>The attacker identifies a Space containing recipes they wish to modify, including private recipes.</li>
<li>The attacker crafts a <code>PUT</code> request to the <code>/api/recipe/batch_update/</code> endpoint.</li>
<li>The request includes a payload designed to modify the target recipe (e.g., changing the recipe name, ingredients, or privacy settings).</li>
<li>The application, lacking proper authorization checks on this endpoint, processes the request.</li>
<li>The target recipe is modified according to the attacker's specifications, bypassing intended privacy restrictions.</li>
<li>The attacker can then exfiltrate or further manipulate the recipe data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-35045 can lead to the unauthorized disclosure of private recipes, potentially containing sensitive personal information or proprietary culinary techniques. It can also facilitate the tampering of recipe data, leading to incorrect or malicious instructions. This vulnerability affects all Tandoor Recipes instances running versions prior to 2.6.4 and accessible to authenticated users.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Tandoor Recipes to version 2.6.4 or later to patch CVE-2026-35045.</li>
<li>Implement the Sigma rule <code>Detect Tandoor Recipe Batch Update</code> to monitor for suspicious requests to the <code>/api/recipe/batch_update/</code> endpoint.</li>
<li>Review webserver access logs for unusual PUT requests targeting the <code>/api/recipe/batch_update/</code> endpoint after authentication, to identify possible exploitation attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>authentication-bypass</category><category>web-application</category><category>tandoor-recipes</category></item><item><title>Tandoor Recipes Unauthenticated Password Guessing Vulnerability (CVE-2026-33152)</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-tandoor-password-guessing/</link><pubDate>Tue, 09 Jan 2024 15:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-tandoor-password-guessing/</guid><description>Tandoor Recipes before 2.6.0 allows unauthenticated attackers to perform high-speed password guessing attacks against any known username due to improper rate limiting on API endpoints using BasicAuthentication.</description><content:encoded><![CDATA[<p>Tandoor Recipes, a recipe management and meal planning application, is susceptible to a critical vulnerability (CVE-2026-33152) in versions prior to 2.6.0. The application's configuration of Django REST Framework with BasicAuthentication as a default authentication backend, combined with insufficient rate limiting, creates a significant security risk. The AllAuth rate limiting (ACCOUNT_RATE_LIMITS: login: 5/m/ip) is only applied to the HTML login endpoint (/accounts/login/), leaving API endpoints unprotected. This allows attackers to bypass rate limiting and account lockout mechanisms by sending authentication requests directly to the API. This vulnerability enables an attacker to perform unlimited password attempts against valid usernames, potentially gaining unauthorized access to user accounts and sensitive data. Tandoor Recipes version 2.6.0 addresses this vulnerability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a Tandoor Recipes instance running a version prior to 2.6.0.</li>
<li>The attacker discovers valid usernames through OSINT techniques or by leveraging other vulnerabilities (not described in source).</li>
<li>The attacker crafts HTTP requests with <code>Authorization: Basic</code> headers targeting an API endpoint that accepts authenticated requests.</li>
<li>The attacker sends multiple requests with different password guesses using a scripting language like Python and the <code>requests</code> library.</li>
<li>The Tandoor Recipes server authenticates the request if the credentials match a valid user.</li>
<li>If successful, the attacker gains access to the targeted user's account.</li>
<li>The attacker accesses, modifies, or exfiltrates recipes, meal plans, shopping lists, and potentially other user data.</li>
<li>The attacker pivots to other user accounts if sufficient privileges exist, further expanding their access and potential damage.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33152 allows attackers to compromise user accounts on vulnerable Tandoor Recipes instances. This can lead to unauthorized access to sensitive user data, including personal recipes, meal plans, and shopping lists. Depending on the application's deployment and user permissions, attackers may also be able to modify data, add malicious content, or pivot to other systems. The lack of rate limiting makes password guessing attacks highly effective, increasing the risk of widespread account compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Tandoor Recipes instances to version 2.6.0 or later to patch CVE-2026-33152.</li>
<li>Implement rate limiting on API endpoints that accept BasicAuthentication, independent of AllAuth's HTML login rate limiting.</li>
<li>Deploy the Sigma rule <code>Detect Tandoor Recipes Basic Authentication Brute Force</code> to identify potential password guessing attempts against Tandoor Recipes instances in your environment.</li>
<li>Monitor web server logs for excessive <code>Authorization: Basic</code> header usage targeting Tandoor Recipes API endpoints.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>CVE-2026-33152</category><category>tandoor-recipes</category><category>password-guessing</category><category>credential-access</category></item></channel></rss>