CVE-2026-33152

Source
https://cve.org/CVERecord?id=CVE-2026-33152
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33152.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33152
Aliases
  • GHSA-7m7c-jjqc-r522
Published
2026-03-26T19:07:39.225Z
Modified
2026-07-15T01:49:06.450832280Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication
Details

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNTRATELIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue.

Database specific
{
    "cwe_ids": [
        "CWE-307"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33152.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/tandoorrecipes/recipes

Affected ranges

Type
GIT
Repo
https://github.com/tandoorrecipes/recipes
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.6.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.1.0
0.10.0
0.10.1
0.11.0
0.11.1
0.11.2
0.12.0
0.12.1
0.13.0
0.15.0
0.15.1
0.15.2
0.16.0
0.17.1
0.17.2
0.17.3
0.2.1
0.2.2
0.3.0
0.3.1
0.3.2
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.7.0
0.7.1
0.9.0
0.9.1
0.9.2
1.*
1.0.3
1.1.3
1.1.4
1.2.4
1.2.5
1.5.11
2.*
2.0.0-alpha-1
2.0.0-alpha-2
2.0.0-alpha-3
2.0.0-alpha-4
2.0.0-alpha-5
2.0.0-alpha-6
2.2.7
2.3.0
2.3.2
2.3.3
2.3.4
2.3.6
2.4.0
2.4.1
2.4.2
2.5.0
2.5.1
2.5.2
2.5.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33152.json"