CVE-2026-25991
Tandoor Recipes affected by Blind SSRF with Internal Network Access via Recipe Import
In short
Tandoor Recipes has a flaw in its recipe import feature that lets logged-in users trick the server into connecting to internal networks or cloud services without proper checks. This could expose sensitive information about the server's internal setup.
Technical detail
A Blind SSRF vulnerability exists in the Cookmate recipe import functionality (cookbook/integration/cookmate.py) where URL validation is not performed after HTTP redirects, allowing any authenticated user to force server-side connections to arbitrary internal or external resources. Attack vector requires valid user credentials; impact includes internal network reconnaissance, cloud metadata disclosure, and potential IP address leakage.
Summary generated and translated by AI from the official description.
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, there is a Blind Server-Side Request Forgery (SSRF) vulnerability in the Cookmate recipe import feature of Tandoor Recipes. The application fails to validate the destination URL after following HTTP redirects, allowing any authenticated user (including standard users without administrative privileges) to force the server to connect to arbitrary internal or external resources. The vulnerability lies in cookbook/integration/cookmate.py, within the Cookmate integration class. This vulnerability can be leveraged to scan internal network ports, access cloud instance metadata (e.g., AWS/GCP Metadata Service), or disclose the server's real IP address. This vulnerability is fixed in 2.5.1.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected products
TandoorRecipes · recipesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →