CVE-2026-33152: Tandoor Recipes

Patch now - CVE-2026-33152 is a critical authentication bypass in Tandoor Recipes that lets attackers perform unlimited password-guessing attacks against any user account via the API. Upgrade to version 2.6.0 to block brute-force logins.

Overview

A critical security vulnerability has been discovered in Tandoor Recipes, a popular web application for managing recipes, meal planning, and shopping lists. This flaw, tracked as CVE-2026-33152, allows attackers to bypass critical security protections and perform unlimited password-guessing attacks against user accounts.

Vulnerability Explained

In simple terms, the application had a mismatch in its security controls. The standard web login page correctly limited login attempts to five per minute per IP address. However, the programming interface (API) that the application uses internally was configured to accept a different, more basic type of login that completely ignored these limits.

An attacker can target any API endpoint using “Basic Authentication” headers. This method allows them to submit username and password combinations at extremely high speed, with no account lockout and no limit on the number of attempts. This makes it trivial to perform brute-force attacks against any known username.

Potential Impact

The impact of this vulnerability is severe. Attackers can:

• Compromise User Accounts: By systematically guessing passwords, they can gain unauthorized access to any user account.
• Steal Sensitive Data: This includes personal recipe collections, meal plans, and associated data.
• Pivot to Further Attacks: A compromised account could be used to manipulate shopping lists or, if the application is hosted alongside other services, potentially launch further attacks.

This type of flaw is a primary vector for credential stuffing attacks, where attackers use passwords leaked from other breaches. You can review historical incidents to understand the scale of this threat in our breach reports.

Remediation and Mitigation

Immediate action is required to protect your Tandoor Recipes instance.

Primary Fix:

• Upgrade Immediately: All users must upgrade to Tandoor Recipes version 2.6.0 or later. This version patches the vulnerability by removing the insecure authentication backend from the API.

Verification and Additional Steps:

1. Confirm Your Version: After upgrading, verify your installation is running version 2.6.0 or higher.
2. Monitor for Suspicious Activity: Review application logs for a high volume of authentication attempts, especially those using Basic authentication headers, which may indicate a prior attack.
3. Encourage Strong Passwords: Advise users to ensure they are using strong, unique passwords. Consider this a mandatory step if you suspect any exploitation attempt.

For the latest updates on critical vulnerabilities like this one, follow our security news section. Staying informed is key to maintaining a strong security posture and preventing unauthorized access to your systems and user data.