Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue.

INFO

Published Date :

2026-03-26T19:07:39.225Z

Last Modified :

2026-03-26T19:52:09.977Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33152 vulnerability.

Vendors Products
Tandoorrecipes
  • Recipes
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33152.

URL Resource
https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0 cve-icon cve-icon
https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact