Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0811

NIXPKGS-2026-0811
published on
Permalink CVE-2026-33152
9.1 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month ago
  • @LeSuisse ignored package gnome-recipes 1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago
Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue.

Affected products

recipes
  • ==< 2.6.0

Matching in nixpkgs

pkgs.tandoor-recipes

Application for managing recipes, planning meals, building shopping lists and much much more!

Ignored packages (1)

Package maintainers

Upstream advisory: https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522