Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue.
Published: 2026-03-26
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted brute‑force login
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in Tandoor Recipes’ use of Django REST Framework with BasicAuthentication as a default backend. Because the built‑in account rate limiting only protects the web login page, API endpoints that accept BasicAuthentication headers are left unguarded. An attacker can therefore brute‑force any known username at an unrestricted rate, achieving unauthorized access. This weakness is cataloged as CWE‑307, a flaw that permits password brute‑forcing.

Affected Systems

The affected product is Tandoor Recipes (recipe‑management application). All releases before version 2.6.0 are impacted; the 2.6.0 release includes the fix.

Risk and Exploitability

The CVSS score of 9.1 marks the issue as critical. Although the EPSS score is below 1%, indicating a low probability of public exploitation, the existing high severity and absence of rate limiting mean that organizations with Tandoor Recipes can be targeted by automated tools or attackers with minimal effort. The vulnerability has not yet been listed in the CISA KEV catalog, but because it permits unrestricted credential guessing via existing API endpoints, it remains a high‑risk concern for any environment that relies on this system for user authentication.

Generated by OpenCVE AI on March 30, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 2.6.0 or newer to apply the vendor‑issued fix.
  • If an upgrade is not immediately possible, disable BasicAuthentication or configure custom rate limiting or account lockout on the API endpoints.
  • Monitor authentication logs for abnormal or repeated login attempts.
  • Enforce strong password policies and consider enabling account lockout after a limited number of failed attempts.

Generated by OpenCVE AI on March 30, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Tandoor
Tandoor recipes
CPEs cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*
Vendors & Products Tandoor
Tandoor recipes

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Tandoorrecipes
Tandoorrecipes recipes
Vendors & Products Tandoorrecipes
Tandoorrecipes recipes

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue.
Title Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Tandoor Recipes
Tandoorrecipes Recipes
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:09.977Z

Reserved: 2026-03-17T21:17:08.885Z

Link: CVE-2026-33152

cve-icon Vulnrichment

Updated: 2026-03-26T19:50:22.661Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T19:17:03.147

Modified: 2026-03-30T19:18:18.253

Link: CVE-2026-33152

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:35Z

Weaknesses