CVE-2026-25964 is a path traversal vulnerability identified in the RecipeImport workflow of the Tandoor Recipes application, a tool used for managing recipes, meal planning, and shopping lists. The vulnerability exists in versions prior to 2.5.1 and is caused by improper input validation of the file_path parameter combined with insufficient enforcement of directory restrictions in the local storage backend. Authenticated users with import permissions can exploit this flaw to traverse outside the intended storage directory and access arbitrary files on the server filesystem. This can include critical system files such as /etc/passwd, which contains user account information, or application-specific configuration files like settings.py, which may contain sensitive credentials or configuration details. Although the vulnerability requires authentication with specific permissions, it does not require additional user interaction, making exploitation straightforward for authorized users. The vulnerability has a CVSS 3.1 base score of 4.9, reflecting medium severity due to the need for privileges but high confidentiality impact. No known exploits have been reported in the wild, but the potential for full system compromise exists if attackers leverage the disclosed information to escalate privileges or pivot within the environment. The issue was resolved in Tandoor Recipes version 2.5.1 by implementing proper input validation and enforcing strict directory restrictions in the storage backend.

For European organizations, this vulnerability poses a significant risk primarily to those deploying Tandoor Recipes in environments where multiple users have import permissions. Unauthorized access to sensitive system and application files can lead to information disclosure, including user credentials and configuration secrets, which may facilitate further attacks such as privilege escalation or lateral movement. Organizations in sectors with strict data protection regulations (e.g., healthcare, finance, public sector) could face compliance violations if sensitive data is exposed. The medium CVSS score reflects the requirement for authenticated access, but the potential confidentiality impact is high. If exploited, attackers could gain insights into system configurations or user data, undermining trust and operational security. Additionally, since Tandoor Recipes is a niche application, the impact is more pronounced in organizations that rely on it for operational workflows, especially those with less mature access control policies. The absence of known exploits reduces immediate risk but should not lead to complacency, as attackers may develop exploits given the public disclosure.

European organizations should immediately upgrade Tandoor Recipes to version 2.5.1 or later to remediate the vulnerability. Until patching is complete, restrict import permissions strictly to trusted and necessary users only. Implement robust access controls and monitor usage of the import functionality for unusual activity. Conduct regular audits of user permissions and review logs for attempts to access unauthorized files. Employ network segmentation to isolate servers running Tandoor Recipes from critical infrastructure to limit potential lateral movement. Additionally, consider deploying file integrity monitoring on critical configuration files to detect unauthorized access or changes. Educate administrators and users about the risks of path traversal vulnerabilities and the importance of applying security updates promptly. Finally, integrate this vulnerability into vulnerability management and incident response plans to ensure timely detection and remediation.