CVE-2026-23838 is a vulnerability in the Tandoor Recipes application when installed using the Nix package manager on NixOS systems, specifically in versions from 23.05 up to but not including 26.05. The root cause is that the default NixOS module configuration sets the working directory and MEDIA_ROOT to /var/lib/tandoor-recipes. Tandoor Recipes creates its SQLite database file (db.sqlite3) in this directory, which is also served as a media directory over HTTP, either via Gunicorn with GUNICORN_MEDIA=1 or through a web server like nginx. This configuration inadvertently exposes the entire database file to unauthenticated external access, allowing attackers to download the database and extract sensitive information such as user credentials, personal data, and recipe content. The vulnerability is classified under CWE-538, which involves insertion of sensitive information into an externally accessible file or directory. NixOS 26.05 addresses this by changing MEDIA_ROOT to a subdirectory within the data directory, preventing direct exposure of the database file. However, this fix only applies to configurations with system.stateVersion >= 26.05. Older configurations require manual mitigation. NixOS 25.11 backported the patch but it requires user action to be effective. Recommended mitigations include moving MEDIA_ROOT into a subdirectory to separate media files from the database, switching to a more secure database backend like PostgreSQL that does not store data in a web-accessible directory, or configuring the web server to explicitly deny access to db.sqlite3. The vulnerability has a CVSS 4.0 base score of 8.7, indicating high severity due to network exploitability without authentication, low attack complexity, and a high impact on confidentiality. No known exploits have been reported in the wild as of the publication date.

For European organizations using Tandoor Recipes via NixOS nixpkgs versions 23.05 to 26.05 with default configurations, this vulnerability poses a significant risk of data exposure. The SQLite database may contain sensitive user information, including personal data and potentially authentication credentials, which if accessed by unauthorized parties, could lead to privacy violations, data breaches, and compliance issues under GDPR. The exposure of the entire database file without authentication means attackers can easily download and analyze the data, increasing the risk of identity theft, credential stuffing, or further targeted attacks. Organizations relying on default configurations and serving media files publicly without additional access controls are particularly vulnerable. The impact extends beyond confidentiality to potential reputational damage and regulatory penalties. Since the vulnerability is exploitable remotely without user interaction, it increases the attack surface for opportunistic attackers scanning for exposed database files. European entities in sectors such as hospitality, food services, or any domain using Tandoor Recipes for recipe management could be affected, especially if they have not updated to NixOS 26.05 or applied mitigations. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits given the public disclosure.

European organizations should immediately audit their Tandoor Recipes installations on NixOS to determine if they are running affected versions (>=23.05 and <26.05) with default MEDIA_ROOT configurations. The primary mitigation is to move MEDIA_ROOT into a dedicated subdirectory within /var/lib/tandoor-recipes or another non-web-accessible location to separate media files from the database file. This prevents direct HTTP access to db.sqlite3. Alternatively, migrating from SQLite to PostgreSQL or another database backend that does not store data in a web-accessible directory is recommended for enhanced security. Web server configurations (e.g., nginx) should be reviewed and updated to explicitly deny access to the database file (db.sqlite3) by adding location blocks or access control rules. For deployments using Gunicorn with GUNICORN_MEDIA=1, disable this setting or ensure MEDIA_ROOT is not the same directory as the database. Organizations should upgrade to NixOS 26.05 or later, which changes the default MEDIA_ROOT to a safer subdirectory, but must verify that system.stateVersion is set accordingly to benefit from this fix. Regular backups and monitoring for unusual access patterns to media directories are advised. Finally, organizations should review their incident response plans to address potential data exposure and ensure compliance with GDPR notification requirements if a breach is suspected.