CVE-2026-23838 is a vulnerability categorized under CWE-538 (Insertion of Sensitive Information into Externally-Accessible File or Directory) affecting the Tandoor Recipes application when installed via NixOS nixpkgs versions from 23.05 up to but not including 26.05. The root cause is the default configuration of the NixOS module, which sets both the working directory and MEDIA_ROOT to /var/lib/tandoor-recipes. Tandoor Recipes uses SQLite as its default database backend, creating the db.sqlite3 file within this directory. Because MEDIA_ROOT is served over HTTP—either through Gunicorn with GUNICORN_MEDIA=1 or via a web server like nginx—this database file becomes accessible externally without any authentication. This exposure risks unauthorized disclosure of all data stored in the SQLite database, including potentially sensitive user and recipe information. The vulnerability does not require any user interaction or privileges to exploit and can be triggered remotely over the network. NixOS 26.05 addresses this by changing MEDIA_ROOT to a subdirectory of the data directory, isolating the database file from web-accessible paths. NixOS 25.11 backported this patch, but it requires user intervention to be effective. Recommended mitigations include relocating MEDIA_ROOT to a subdirectory to separate media files from the database, switching to PostgreSQL which stores data outside the media directory, or configuring web server rules to deny HTTP access to db.sqlite3. No known exploits are currently reported in the wild. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:H/VI:N/VA:N) indicates network attack vector, low complexity, no authentication or user interaction required, and high confidentiality impact, with no impact on integrity or availability.

For European organizations, this vulnerability poses a significant risk of unauthorized data disclosure. Since the SQLite database file may contain sensitive user data, recipes, and potentially other private information, exposure could lead to privacy violations and data breaches under GDPR regulations. The ease of exploitation (no authentication or user interaction required) increases the likelihood of automated scanning and data theft. Organizations using default configurations of Tandoor Recipes on NixOS versions 23.05 to 26.05 are particularly vulnerable. This could impact sectors such as hospitality, culinary services, or any business using Tandoor Recipes for recipe management. Data leakage could result in reputational damage, regulatory fines, and loss of customer trust. Additionally, attackers could use exposed data to facilitate further attacks or social engineering. The vulnerability does not affect data integrity or availability directly but compromises confidentiality severely.

European organizations should immediately audit their Tandoor Recipes installations on NixOS to determine if they are running affected versions with default MEDIA_ROOT configurations. The primary mitigation is to move MEDIA_ROOT into a dedicated subdirectory separate from the database file, ensuring that db.sqlite3 is not served over HTTP. This can be done by customizing the NixOS module configuration to set MEDIA_ROOT to a subfolder within /var/lib/tandoor-recipes or another directory not exposed by the web server. Alternatively, switching the database backend from SQLite to PostgreSQL is recommended, as PostgreSQL stores data outside the media directory and is not exposed via HTTP. If changing MEDIA_ROOT or database backend is not immediately feasible, web server configurations (nginx or Gunicorn) should be updated to explicitly deny access to db.sqlite3 and any other sensitive files. Organizations should also consider upgrading to NixOS 26.05 or later, which includes a safer default MEDIA_ROOT setting, and apply any backported patches available for earlier versions with user intervention. Regular security audits and monitoring for unauthorized access attempts to media directories are advised. Finally, ensure that backups and incident response plans are in place in case of data compromise.