{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33152", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.885Z", "datePublished": "2026-03-26T19:07:39.225Z", "dateUpdated": "2026-03-26T19:52:09.977Z"}, "containers": {"cna": {"title": "Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522"}, {"name": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0"}], "affected": [{"vendor": "TandoorRecipes", "product": "recipes", "versions": [{"version": "< 2.6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:07:39.225Z"}, "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue."}], "source": {"advisory": "GHSA-7m7c-jjqc-r522", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33152", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:46:37.336472Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:09.977Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33152", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:46:37.336472Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:50:22.661Z"}}], "cna": {"title": "Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication", "source": {"advisory": "GHSA-7m7c-jjqc-r522", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "TandoorRecipes", "product": "recipes", "versions": [{"status": "affected", "version": "< 2.6.0"}]}], "references": [{"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522", "name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0", "name": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:07:39.225Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33152", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:52:09.977Z", "dateReserved": "2026-03-17T21:17:08.885Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T19:07:39.225Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "matchCriteriaId": "6EFEDF7D-1D00-4901-A064-ECC168038F6C", "versionEndExcluding": "2.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue."}, {"lang": "es", "value": "Tandoor Recipes es una aplicaci\u00f3n para gestionar recetas, planificar comidas y crear listas de compras. En versiones anteriores a la 2.6.0, Tandoor Recipes configura Django REST Framework con BasicAuthentication como uno de los backends de autenticaci\u00f3n predeterminados. La configuraci\u00f3n de limitaci\u00f3n de tasa de AllAuth (ACCOUNT_RATE_LIMITS: login: 5/m/ip) solo se aplica al endpoint de inicio de sesi\u00f3n basado en HTML en /accounts/login/. Cualquier endpoint de API que acepte solicitudes autenticadas puede ser objetivo a trav\u00e9s de encabezados Authorization: Basic sin limitaci\u00f3n de tasa, sin bloqueo de cuenta y con intentos ilimitados. Un atacante puede realizar adivinaci\u00f3n de contrase\u00f1as a alta velocidad contra cualquier nombre de usuario conocido. La versi\u00f3n 2.6.0 corrige el problema."}], "id": "CVE-2026-33152", "lastModified": "2026-03-30T19:18:18.253", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T19:17:03.147", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "recipes", "source": "cna", "vendor": "TandoorRecipes"}, "product": "recipes", "vendor": "tandoorrecipes"}], "analysis": {"en": {"generated_at": "2026-03-26T20:22:22.683927+00:00", "value": {"mitigation_remediation": ["Upgrade Tandoor Recipes to version 2.6.0 or newer", "If an upgrade is not immediately possible, disable the BasicAuthentication backend until the patch is applied", "Configure rate limiting on all API endpoints that accept authenticated requests", "Enable multi\u2011factor authentication for user accounts", "Monitor log files and network traffic for repeated failed authentication attempts"], "summary": {"action": "Apply Patch", "impact": "Unrestricted brute\u2011force login via BasicAuthentication leading to account compromise"}, "threat_synthesis": {"affected_systems": "Tandoor Recipes, the Django\u2011based recipe management application, is affected in all releases prior to version 2.6.0. The vulnerable product is listed as TandoorRecipes:recipes and applies to any host running those older versions.", "description_and_impact": "The vulnerability enables an attacker to supply a valid username and repeatedly guess passwords because BasicAuthentication is enabled by default and no rate limiting is applied to API endpoints. This allows brute\u2011force attempts that can compromise accounts and potentially expose sensitive data. The weakness is an authentication bypass due to missing controls, corresponding to CWE\u2011307.", "risk_and_exploitability": "The CVSS score of 9.1 indicates critical severity, and the absence of rate limiting makes the flaw highly exploitable. No EPSS score is available, but for an exposed web API attackers have a low detection risk. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can target any reachable API endpoint that accepts BasicAuthentication headers, enabling high\u2011speed password guessing from the network."}}}}, "created": "2026-03-27T08:33:13.726475+00:00", "updated": "2026-03-27T09:25:33.833782+00:00", "vendors": ["tandoorrecipes", "tandoorrecipes$PRODUCT$recipes"]}