The vulnerability identified as CVE-2026-29055 affects Tandoor Recipes, a popular application for recipe management, meal planning, and shopping list creation. In versions before 2.6.0, the image processing pipeline does not remove EXIF metadata from WebP and GIF images uploaded by users. EXIF metadata often contains sensitive details such as GPS coordinates, camera make and model, timestamps, and software used to capture or edit the image. This oversight is due to the image processing code explicitly skipping metadata stripping, rescaling, and size validation for these formats, as noted in a developer TODO comment. When users upload photos in WebP format—which is the default format for many modern smartphones—this metadata remains embedded and is served to all users who can view the recipe, exposing potentially sensitive information. The vulnerability does not require authentication or user interaction to exploit, making it accessible to any remote attacker or user with upload privileges. The CVSS 3.1 base score is 5.3 (medium severity), reflecting the confidentiality impact without affecting integrity or availability. The issue was addressed and fixed in Tandoor Recipes version 2.6.0 by implementing proper EXIF metadata stripping for all supported image formats.

The primary impact of this vulnerability is the unintended disclosure of sensitive user information embedded in image metadata. Exposure of GPS coordinates can reveal precise user locations, potentially compromising user privacy and safety. Information about camera models and timestamps can aid attackers in profiling victims or correlating data for social engineering or targeted attacks. For organizations, this leakage could violate privacy policies or regulatory requirements, especially if users upload images from sensitive locations such as corporate premises or private residences. Although the vulnerability does not affect system integrity or availability, the confidentiality breach can erode user trust and lead to reputational damage. Since exploitation requires only image upload capability, any user or attacker with upload access can trigger the exposure, increasing the risk in multi-user or public-facing deployments. The lack of known exploits in the wild suggests limited active exploitation but does not diminish the potential privacy risks.

Organizations and users should upgrade Tandoor Recipes to version 2.6.0 or later, where the vulnerability is fixed by proper EXIF metadata stripping for all image formats. Until upgrading is possible, administrators can implement server-side image processing controls to strip metadata from uploaded images before storage or display, using tools like ExifTool or ImageMagick with metadata removal options. Restricting image upload privileges to trusted users can reduce exposure risk. Additionally, educating users about the risks of uploading images containing sensitive metadata and encouraging them to sanitize images locally before upload can help mitigate leakage. Monitoring and auditing uploaded images for embedded metadata can detect ongoing exposure. Finally, reviewing privacy policies and informing users about potential metadata exposure enhances transparency and compliance.