CVE-2026-33152

Name of the Vulnerable Software and Affected Versions Tandoor Recipes versions prior to 2.6.0

Description Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions prior to 2.6.0 configure Django REST Framework with BasicAuthentication as a default authentication backend. The AllAuth rate limiting configuration only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint accepting authenticated requests can be targeted via Authorization: Basic headers without rate limiting, account lockout, or attempt limits. An attacker can perform high-speed password guessing against any known username. The vulnerable API endpoints are susceptible to brute-force attacks due to the lack of rate limiting on the BasicAuthentication method.

Recommendations Update Tandoor Recipes to version 2.6.0 or later.