Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, there is a Blind Server-Side Request Forgery (SSRF) vulnerability in the Cookmate recipe import feature of Tandoor Recipes. The application fails to validate the destination URL after following HTTP redirects, allowing any authenticated user (including standard users without administrative privileges) to force the server to connect to arbitrary internal or external resources. The vulnerability lies in cookbook/integration/cookmate.py, within the Cookmate integration class. This vulnerability can be leveraged to scan internal network ports, access cloud instance metadata (e.g., AWS/GCP Metadata Service), or disclose the server's real IP address. This vulnerability is fixed in 2.5.1.
Published: 2026-02-13
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Blind SSRF allowing internal network access
Action: Patch
AI Analysis

Impact

The Cookmate recipe import feature in Tandoor Recipes permits a blind server‑side request forgery because the application does not validate the final destination URL after HTTP redirects. Any authenticated user, even a standard user without administrative rights, can force the server to send requests to arbitrary internal or external resources. This flaw can be used to probe internal network ports, capture cloud instance metadata services such as AWS or GCP metadata, or reveal the host’s real IP address. The vulnerability falls under CWE‑918, representing an unvalidated redirect or forwarding flaw that compromises confidentiality and availability of internal resources.

Affected Systems

All releases of Tandoor Recipes prior to version 2.5.1 are affected. The fix was introduced in the 2.5.1 release (see the commit fdf22c5e745740db1fec29d6b4bd3df5d340e6ab and the 2.5.1 tag). Users running any earlier 2.x series, or earlier, are vulnerable.

Risk and Exploitability

The CVSS v3.1 score is 7.7, indicating a high severity impact. The EPSS score is reported as less than 1%, suggesting a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated to the application, but once logged in they can supply any URL for import, making the attack path straightforward. The potential damage includes unauthorized network reconnaissance, metadata theft, and server IP disclosure, which could aid further attacks against the host.

Generated by OpenCVE AI on April 18, 2026 at 12:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch (upgrade to Tandoor Recipes 2.5.1 or later) to fix the SSRF flaw.
  • Restrict outbound network connections from the Tandoor Recipes server to only the services required by the application, limiting the reach of any residual SSRF.
  • Temporarily disable the Cookmate recipe import feature until the application can be upgraded to a fixed version, preventing authenticated users from triggering SSRF.

Generated by OpenCVE AI on April 18, 2026 at 12:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Tandoor
Tandoor recipes
CPEs cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*
Vendors & Products Tandoor
Tandoor recipes

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Tandoorrecipes
Tandoorrecipes recipes
Vendors & Products Tandoorrecipes
Tandoorrecipes recipes

Fri, 13 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, there is a Blind Server-Side Request Forgery (SSRF) vulnerability in the Cookmate recipe import feature of Tandoor Recipes. The application fails to validate the destination URL after following HTTP redirects, allowing any authenticated user (including standard users without administrative privileges) to force the server to connect to arbitrary internal or external resources. The vulnerability lies in cookbook/integration/cookmate.py, within the Cookmate integration class. This vulnerability can be leveraged to scan internal network ports, access cloud instance metadata (e.g., AWS/GCP Metadata Service), or disclose the server's real IP address. This vulnerability is fixed in 2.5.1.
Title Tandoor Recipes affected by Blind SSRF with Internal Network Access via Recipe Import
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Tandoor Recipes
Tandoorrecipes Recipes
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-13T19:58:00.752Z

Reserved: 2026-02-09T17:41:55.858Z

Link: CVE-2026-25991

cve-icon Vulnrichment

Updated: 2026-02-13T19:57:16.651Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-13T19:17:28.953

Modified: 2026-02-17T16:10:27.940

Link: CVE-2026-25991

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:30:45Z

Weaknesses