Description
Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may be externally accessible, potentially on the Internet. The root cause is that the NixOS module configures the working directory of Tandoor Recipes, as well as the value of `MEDIA_ROOT`, to be `/var/lib/tandoor-recipes`. This causes Tandoor Recipes to create its `db.sqlite3` database file in the same directory as `MEDIA_ROOT` causing it to be accessible without authentication through HTTP like any other media file. This is the case when using `GUNICORN_MEDIA=1` or when using a web server like nginx to serve media files. NixOS 26.05 changes the default value of `MEDIA_ROOT` to a sub folder of the data directory. This only applies to configurations with `system.stateVersion` >= 26.05. For older configurations, one of the workarounds should be applied instead. NixOS 25.11 has received a backport of this patch, though it doesn't fix this vulnerability without user intervention. A recommended workaround is to move `MEDIA_ROOT` into a subdirectory. Non-recommended workarounds include switching to PostgreSQL or disallowing access to `db.sqlite3`.
Published: 2026-01-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to the Tandoor Recipes SQLite database via HTTP without authentication
Action: Apply Workaround
AI Analysis

Impact

The vulnerability resides in the default configuration of the Tandoor Recipes package managed by NixOS. When SQLite is used with the default MEDIA_ROOT directory, the application places its database file, db.sqlite3, alongside media assets. Because the web server serves media files from this directory, the database file becomes reachable through ordinary HTTP requests, exposing all stored data with no authentication. This is a confidentiality breach described by CWE-538.

Affected Systems

The flaw affects the NixOS package collection, specifically the Tandoor Recipes module available from the nixpkgs repository. Versions beginning with 23.05 through 26.04 are vulnerable when using the default configuration. NixOS 26.05 changes the default MEDIA_ROOT to a subdirectory of the data directory, eliminating the issue for configurations whose system.stateVersion is 26.05 or newer. Earlier configurations can mitigate the problem with the recommended workarounds, and a NixOS 25.11 backport exists but requires user action.

Risk and Exploitability

The CVSS base score of 8.7 indicates a high impact, while the EPSS score of less than 1% suggests a low probability of exploitation as of the latest data. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote HTTP request to the media directory, retrieving the db.sqlite3 file if the server is configured to serve media files from that location. Once accessed, the database contents could be read by any network adversary with reach to the host.

Generated by OpenCVE AI on April 18, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Move or configure the MEDIA_ROOT directory to a subdirectory so that the db.sqlite3 file is not served by the web server.
  • Configure the web server (e.g., nginx or GUNICORN_MEDIA) to block HTTP access to the directory containing db.sqlite3.
  • Upgrade to NixOS 26.05 or apply the 25.11 backport patch and then adjust MEDIA_ROOT to the new default subfolder.

Generated by OpenCVE AI on April 18, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Nixos
Nixos nixos
Tandoor
Tandoor recipes
Vendors & Products Nixos
Nixos nixos
Tandoor
Tandoor recipes

Mon, 19 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Description Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may be externally accessible, potentially on the Internet. The root cause is that the NixOS module configures the working directory of Tandoor Recipes, as well as the value of `MEDIA_ROOT`, to be `/var/lib/tandoor-recipes`. This causes Tandoor Recipes to create its `db.sqlite3` database file in the same directory as `MEDIA_ROOT` causing it to be accessible without authentication through HTTP like any other media file. This is the case when using `GUNICORN_MEDIA=1` or when using a web server like nginx to serve media files. NixOS 26.05 changes the default value of `MEDIA_ROOT` to a sub folder of the data directory. This only applies to configurations with `system.stateVersion` >= 26.05. For older configurations, one of the workarounds should be applied instead. NixOS 25.11 has received a backport of this patch, though it doesn't fix this vulnerability without user intervention. A recommended workaround is to move `MEDIA_ROOT` into a subdirectory. Non-recommended workarounds include switching to PostgreSQL or disallowing access to `db.sqlite3`.
Title Tandoor Recipes module allows SQLite database to be externally accessible with the default settings
Weaknesses CWE-538
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nixos Nixos
Tandoor Recipes
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T21:41:34.412Z

Reserved: 2026-01-16T15:46:40.842Z

Link: CVE-2026-23838

cve-icon Vulnrichment

Updated: 2026-01-20T21:41:31.707Z

cve-icon NVD

Status : Deferred

Published: 2026-01-19T19:16:03.937

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23838

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses