{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33152", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.885Z", "datePublished": "2026-03-26T19:07:39.225Z", "dateUpdated": "2026-03-26T19:52:09.977Z"}, "containers": {"cna": {"title": "Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522"}, {"name": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0"}], "affected": [{"vendor": "TandoorRecipes", "product": "recipes", "versions": [{"version": "< 2.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:07:39.225Z"}, "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue."}], "source": {"advisory": "GHSA-7m7c-jjqc-r522", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33152", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:46:37.336472Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:09.977Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33152", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:46:37.336472Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:50:22.661Z"}}], "cna": {"title": "Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication", "source": {"advisory": "GHSA-7m7c-jjqc-r522", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "TandoorRecipes", "product": "recipes", "versions": [{"status": "affected", "version": "< 2.6.0"}]}], "references": [{"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522", "name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0", "name": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:07:39.225Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33152", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:52:09.977Z", "dateReserved": "2026-03-17T21:17:08.885Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T19:07:39.225Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "matchCriteriaId": "6EFEDF7D-1D00-4901-A064-ECC168038F6C", "versionEndExcluding": "2.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue."}, {"lang": "es", "value": "Tandoor Recipes es una aplicaci\u00f3n para gestionar recetas, planificar comidas y crear listas de compras. En versiones anteriores a la 2.6.0, Tandoor Recipes configura Django REST Framework con BasicAuthentication como uno de los backends de autenticaci\u00f3n predeterminados. La configuraci\u00f3n de limitaci\u00f3n de tasa de AllAuth (ACCOUNT_RATE_LIMITS: login: 5/m/ip) solo se aplica al endpoint de inicio de sesi\u00f3n basado en HTML en /accounts/login/. Cualquier endpoint de API que acepte solicitudes autenticadas puede ser objetivo a trav\u00e9s de encabezados Authorization: Basic sin limitaci\u00f3n de tasa, sin bloqueo de cuenta y con intentos ilimitados. Un atacante puede realizar adivinaci\u00f3n de contrase\u00f1as a alta velocidad contra cualquier nombre de usuario conocido. La versi\u00f3n 2.6.0 corrige el problema."}], "id": "CVE-2026-33152", "lastModified": "2026-03-30T19:18:18.253", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T19:17:03.147", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "recipes", "source": "cna", "vendor": "TandoorRecipes"}, "product": "recipes", "vendor": "tandoorrecipes"}], "analysis": {"en": {"generated_at": "2026-03-30T20:28:06.131344+00:00", "value": {"mitigation_remediation": ["Upgrade to version 2.6.0 or newer to apply the vendor\u2011issued fix.", "If an upgrade is not immediately possible, disable BasicAuthentication or configure custom rate limiting or account lockout on the API endpoints.", "Monitor authentication logs for abnormal or repeated login attempts.", "Enforce strong password policies and consider enabling account lockout after a limited number of failed attempts."], "summary": {"action": "Apply Patch", "impact": "Unrestricted brute\u2011force login"}, "threat_synthesis": {"affected_systems": "The affected product is Tandoor Recipes (recipe\u2011management application). All releases before version 2.6.0 are impacted; the 2.6.0 release includes the fix.", "description_and_impact": "The vulnerability resides in Tandoor Recipes\u2019 use of Django REST Framework with BasicAuthentication as a default backend. Because the built\u2011in account rate limiting only protects the web login page, API endpoints that accept BasicAuthentication headers are left unguarded. An attacker can therefore brute\u2011force any known username at an unrestricted rate, achieving unauthorized access. This weakness is cataloged as CWE\u2011307, a flaw that permits password brute\u2011forcing.", "risk_and_exploitability": "The CVSS score of 9.1 marks the issue as critical. Although the EPSS score is below 1%, indicating a low probability of public exploitation, the existing high severity and absence of rate limiting mean that organizations with Tandoor Recipes can be targeted by automated tools or attackers with minimal effort. The vulnerability has not yet been listed in the CISA KEV catalog, but because it permits unrestricted credential guessing via existing API endpoints, it remains a high\u2011risk concern for any environment that relies on this system for user authentication."}}}}, "created": "2026-03-27T08:33:13.726475+00:00", "updated": "2026-03-30T20:57:35.540209+00:00", "vendors": ["tandoorrecipes", "tandoorrecipes$PRODUCT$recipes"]}