CVE-2026-33153
Tandoor Recipes's Unauthenticated Debug Parameter Leaks Full Raw SQL Queries Including Schema, Table Names, and Access Control Logic
In short
Tandoor Recipes has a hidden debug feature that shows complete database queries to any logged-in user, revealing the entire database structure and how access control works. An attacker can use this information to find security weaknesses and bypass protections.
Technical detail
An unauthenticated debug parameter (?debug=true) in the Recipe API endpoint exposes raw SQL queries including schema, table relationships, and access control logic to any authenticated user, regardless of privilege level. This information disclosure occurs even in production (DEBUG=False) and enables schema reconnaissance and authorization bypass attacks.
Summary generated and translated by AI from the official description.
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOIN relationships, WHERE conditions (revealing access control logic), and multi-tenant space IDs. This parameter works even when Django's `DEBUG=False` (production mode) and is accessible to any authenticated user regardless of their privilege level. This allows a low-privilege attacker to map the entire database schema and reverse-engineer the authorization model. Version 2.6.0 patches the issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Affected products
TandoorRecipes · recipesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →