Tandoor Recipes is a web application designed for recipe management, meal planning, and shopping list creation. Prior to version 2.6.0, it uses Django REST Framework with BasicAuthentication as a default authentication backend for its API endpoints. While the application enforces rate limiting on the HTML login endpoint (/accounts/login/) via AllAuth's ACCOUNT_RATE_LIMITS configuration (5 login attempts per minute per IP), this restriction does not extend to API endpoints that accept authenticated requests using BasicAuthentication headers. Consequently, attackers can send unlimited authentication requests with different passwords for any known username via the Authorization: Basic header without triggering rate limits or account lockouts. This flaw constitutes an improper restriction of excessive authentication attempts (CWE-307), enabling high-speed password guessing attacks. Successful exploitation can lead to credential compromise, unauthorized access, and potential data breaches. The vulnerability has been assigned CVE-2026-33152 and carries a CVSS 3.1 base score of 9.1 (critical), reflecting its network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity. The issue was addressed in Tandoor Recipes version 2.6.0 by applying appropriate rate limiting and lockout mechanisms to API authentication attempts.

The vulnerability allows attackers to perform brute-force password guessing attacks at high speed against any known username on Tandoor Recipes API endpoints without restriction. This can lead to unauthorized access to user accounts, exposing sensitive personal data such as meal plans, recipes, and shopping lists. Compromised accounts may also be leveraged for further attacks within an organization’s environment if Tandoor Recipes is integrated with other systems or contains sensitive business information. The lack of rate limiting on API authentication increases the risk of credential stuffing and password spraying attacks, potentially resulting in widespread account compromise. Organizations relying on vulnerable versions face risks of data breaches, loss of user trust, and compliance violations. Although no known exploits are reported in the wild yet, the critical severity and ease of exploitation make this a high-priority threat requiring immediate remediation.

1. Upgrade Tandoor Recipes to version 2.6.0 or later, where the vulnerability is patched with proper rate limiting on API authentication endpoints. 2. Implement additional API gateway or web application firewall (WAF) rules to enforce rate limiting and block excessive authentication attempts at the network edge. 3. Enforce strong password policies and encourage multi-factor authentication (MFA) to reduce the risk of credential compromise. 4. Monitor authentication logs for unusual patterns such as rapid failed login attempts or repeated attempts from single IP addresses. 5. Consider disabling BasicAuthentication in favor of more secure authentication methods like token-based or OAuth2 where feasible. 6. Conduct regular security assessments and penetration testing to detect similar weaknesses in authentication controls. 7. Educate users about phishing and credential reuse risks to prevent attackers from obtaining valid usernames.