Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthenticati

Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue.

Affected Products

Vendor	Product	Versions
Tandoor	Tandoor Recipes	2.5.x

References

Related News (1 articles)

Tier C

VulDB2h ago

CVE-2026-33152 | TandoorRecipes recipes up to 2.5.x API Endpoint excessive authentication (GHSA-7m7c-jjqc-r522)

→ No new info (linked only)

CVSS 3.19.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA KEV❌ No

Actively exploited❌ No

CWECWE-307

Published3/26/2026

Last enriched20m agov2

Trending Score30

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Version History

Last enriched 20m ago

v2Tier C20m ago

Added vendor and product information, updated affected versions to 2.5.x, changed severity to HIGH, and noted that no exploit exists.

vendorproductaffectedVersionspatchAvailable

via VulDB

v12h ago

Initial creation