NIXPKGS-2026-0782

GitHub issue published on 27 Mar 2026

Permalink CVE-2026-33153

updated 20 hours ago by @LeSuisse Activity log

Created automatic suggestion 1 day, 5 hours ago
@LeSuisse removed package gnome-recipes 20 hours ago
@LeSuisse accepted 20 hours ago
@LeSuisse published on GitHub 20 hours ago

Tandoor Recipes's Unauthenticated Debug Parameter Leaks Full Raw SQL Queries Including Schema, Table Names, and Access Control Logic

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOIN relationships, WHERE conditions (revealing access control logic), and multi-tenant space IDs. This parameter works even when Django's `DEBUG=False` (production mode) and is accessible to any authenticated user regardless of their privilege level. This allows a low-privilege attacker to map the entire database schema and reverse-engineer the authorization model. Version 2.6.0 patches the issue.

References

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf x_refsource_CONFIRM
https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0 x_refsource_MISC

Affected products

recipes

==< 2.6.0

Matching in nixpkgs

pkgs.tandoor-recipes

Application for managing recipes, planning meals, building shopping lists and much much more!

nixos-unstable 2.5.3
- nixpkgs-unstable 2.5.3
- nixos-unstable-small 2.5.3
nixos-25.11 2.5.3
- nixos-25.11-small 2.5.3
- nixpkgs-25.11-darwin 2.5.3

Ignored packages (1)

pkgs.gnome-recipes

Recipe management application for GNOME

Package maintainers

@jvanbruegge Jan van Brügge <supermanitu@gmail.com>

Upstream advisory: https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf