Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOIN relationships, WHERE conditions (revealing access control logic), and multi-tenant space IDs. This parameter works even when Django's `DEBUG=False` (production mode) and is accessible to any authenticated user regardless of their privilege level. This allows a low-privilege attacker to map the entire database schema and reverse-engineer the authorization model. Version 2.6.0 patches the issue.
Published: 2026-03-26
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: High‑Level Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

A hidden debug query parameter is exposed in Tandoor Recipes versions older than 2.6.0. When an authenticated user appends ?debug=true to the Recipe API endpoint, the application returns the entire raw SQL query it executes, including table and column names, join clauses, where conditions that embed access control logic and multi‑tenant space identifiers. This disclosure allows attackers to recover the database schema, understand the authorization model, map critical data, and consequently suffer high‑level information leakage. No code execution or denial of service is facilitated by this flaw.

Affected Systems

The vulnerability affects the Tandoor Recipes application, specifically the recipes module. All releases before version 2.6.0 are susceptible; any instance running those versions, irrespective of deployment environment, is at risk while operating in production mode where Django's DEBUG setting is disabled.

Risk and Exploitability

The flaw has a CVSS score of 7.7 indicating high severity. With an EPSS score below 1%, the likelihood of active exploitation is currently low, and it is not listed in the CISA KEV catalog. However, the attack requires only an authenticated session and no special privileges, making exploitation relatively easy. Once leveraged, the attacker can map the entire database structure and infer the application's permission scheme, threatening confidentiality and potentially aiding future attacks.

Generated by OpenCVE AI on March 30, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Tandoor Recipes 2.6.0 or later.
  • Confirm that the upgraded version is in use.
  • Restart services if required to apply the patch.
  • Monitor system logs for anomalous database queries.

Generated by OpenCVE AI on March 30, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Tandoor
Tandoor recipes
CPEs cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*
Vendors & Products Tandoor
Tandoor recipes
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Tandoorrecipes
Tandoorrecipes recipes
Vendors & Products Tandoorrecipes
Tandoorrecipes recipes

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOIN relationships, WHERE conditions (revealing access control logic), and multi-tenant space IDs. This parameter works even when Django's `DEBUG=False` (production mode) and is accessible to any authenticated user regardless of their privilege level. This allows a low-privilege attacker to map the entire database schema and reverse-engineer the authorization model. Version 2.6.0 patches the issue.
Title Tandoor Recipes's Unauthenticated Debug Parameter Leaks Full Raw SQL Queries Including Schema, Table Names, and Access Control Logic
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tandoor Recipes
Tandoorrecipes Recipes
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:10.149Z

Reserved: 2026-03-17T21:17:08.886Z

Link: CVE-2026-33153

cve-icon Vulnrichment

Updated: 2026-03-26T19:50:25.400Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T19:17:03.313

Modified: 2026-03-30T19:16:16.650

Link: CVE-2026-33153

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:36Z

Weaknesses