CVE-2026-25991 is a Blind Server-Side Request Forgery (SSRF) vulnerability identified in the Cookmate integration component of Tandoor Recipes, an application used for recipe management and meal planning. The flaw resides in the handling of URLs during the recipe import process, specifically in the cookbook/integration/cookmate.py file. When a user imports recipes via the Cookmate feature, the application follows HTTP redirects but fails to validate the final destination URL properly. This oversight enables any authenticated user, including those with standard user privileges, to manipulate the server into sending HTTP requests to arbitrary destinations. Because the server acts as a proxy, attackers can scan internal network ports, potentially discovering sensitive services not exposed externally. Additionally, attackers can query cloud provider metadata endpoints (e.g., AWS EC2 or Google Cloud metadata services), which often contain sensitive information like instance credentials or configuration data. The vulnerability does not require administrative privileges or user interaction beyond authentication, increasing its risk. The CVSS v3.1 score is 7.7 (high), reflecting the vulnerability's ability to compromise confidentiality without impacting integrity or availability. The vulnerability was publicly disclosed on February 13, 2026, and is resolved in Tandoor Recipes version 2.5.1. No public exploit code or active exploitation has been reported to date.

For European organizations using Tandoor Recipes versions prior to 2.5.1, this SSRF vulnerability poses significant risks. Attackers with valid user credentials can leverage the flaw to perform internal reconnaissance, potentially identifying vulnerable internal services or misconfigurations. Access to cloud metadata services could lead to credential theft, enabling further lateral movement or data exfiltration. Disclosure of the server's real IP address may facilitate targeted attacks or bypass network protections. Given the application's use in meal planning and recipe management, organizations in hospitality, food services, or related sectors may be affected. The breach of confidentiality could expose sensitive business information or user data. While the vulnerability does not directly affect system integrity or availability, the indirect consequences of credential compromise or network mapping could lead to more severe attacks. The impact is heightened in cloud-hosted environments common in Europe, where metadata services are critical for instance management.

European organizations should immediately upgrade Tandoor Recipes to version 2.5.1 or later to apply the official patch addressing this SSRF vulnerability. Until the upgrade is possible, restrict access to the Cookmate import feature to trusted users only and monitor usage logs for suspicious activity. Implement network-level controls to limit outbound HTTP requests from the application server, especially to internal IP ranges and cloud metadata endpoints (e.g., block access to 169.254.169.254). Employ web application firewalls (WAFs) with rules designed to detect and block SSRF patterns, particularly those involving redirect chains or unusual URL parameters. Enforce the principle of least privilege for user accounts, ensuring that only necessary users have authentication access to the application. Conduct internal network segmentation to reduce the impact of potential SSRF exploitation. Regularly audit and monitor cloud metadata service access logs for anomalous queries. Finally, educate developers and administrators on secure URL validation and redirect handling to prevent similar vulnerabilities in future.