NIXPKGS-2026-0782

GitHub issue published 2 months, 4 weeks ago

Permalink CVE-2026-33153

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 4 weeks ago
@LeSuisse ignored package gnome-recipes 2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

Tandoor Recipes's Unauthenticated Debug Parameter Leaks Full Raw SQL Queries Including Schema, Table Names, and Access Control Logic

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOIN relationships, WHERE conditions (revealing access control logic), and multi-tenant space IDs. This parameter works even when Django's `DEBUG=False` (production mode) and is accessible to any authenticated user regardless of their privilege level. This allows a low-privilege attacker to map the entire database schema and reverse-engineer the authorization model. Version 2.6.0 patches the issue.

References

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf x_refsource_CONFIRM
https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0 x_refsource_MISC

Affected products

recipes

==< 2.6.0

Matching in nixpkgs

pkgs.tandoor-recipes

Application for managing recipes, planning meals, building shopping lists and much much more!

nixos-unstable 2.5.3
- nixpkgs-unstable 2.5.3
- nixos-unstable-small 2.5.3

Ignored packages (1)

pkgs.gnome-recipes

None

Package maintainers

@jvanbruegge Jan van Brügge <supermanitu@gmail.com>
@ryand56 Ryan Omasta <git@ryand.ca>

Upstream advisory: https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf