CVE-2026-33153

Name of the Vulnerable Software and Affected Versions Tandoor Recipes versions prior to 2.6.0

Description The application is designed for managing recipes, planning meals, and creating shopping lists. A hidden query parameter, ?debug=true, within the Recipe API endpoint reveals the complete raw SQL query being executed. This includes table names, column names, JOIN relationships, WHERE conditions, and multi-tenant space IDs, potentially exposing access control logic. This parameter functions even in production mode (when DEBUG=False in Django) and is accessible to any authenticated user, regardless of their privilege level. An attacker with limited privileges could map the entire database schema and reverse-engineer the authorization model.

Recommendations Update to version 2.6.0 or later.