CVE-2026-33153 affects Tandoor Recipes, an application for recipe management, meal planning, and shopping list creation. In versions before 2.6.0, the Recipe API endpoint includes a hidden query parameter, ?debug=true, which when appended to requests, returns the complete raw SQL query executed by the backend. This output includes detailed information such as table names, column names, JOIN relationships, WHERE clauses revealing access control logic, and multi-tenant space identifiers. Critically, this debug parameter is accessible to any authenticated user, regardless of their privilege level, and remains active even when Django's DEBUG setting is disabled (production mode). This exposure allows attackers with minimal privileges to gain deep insight into the database schema and authorization mechanisms, facilitating further attacks such as SQL injection or privilege escalation. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and has a CVSS 4.0 base score of 7.7, indicating high severity. No known exploits are reported in the wild yet. The issue is resolved in Tandoor Recipes version 2.6.0, which removes or restricts this debug functionality.

The vulnerability enables attackers with only authenticated access to extract sensitive internal database structure and authorization logic, significantly lowering the barrier for further exploitation. By revealing raw SQL queries, attackers can identify injection points, understand multi-tenant data segregation, and potentially craft targeted SQL injection attacks to exfiltrate or manipulate data. This compromises confidentiality and integrity of the application data and may lead to unauthorized data access or modification. The exposure of access control logic also risks privilege escalation attacks. Organizations relying on Tandoor Recipes for managing sensitive recipe data or user information face risks of data breaches, loss of customer trust, and potential regulatory non-compliance. The vulnerability's ease of exploitation without requiring elevated privileges or user interaction increases its threat level, especially in environments with many authenticated users or weak authentication controls.

The primary mitigation is to upgrade Tandoor Recipes to version 2.6.0 or later, where the ?debug=true parameter is removed or properly secured. Until upgrade, organizations should implement strict access controls on the Recipe API endpoint, limiting access only to highly trusted users or internal networks. Employ web application firewalls (WAFs) to detect and block requests containing the ?debug=true parameter. Review and harden authentication mechanisms to minimize unauthorized authenticated access. Conduct thorough code audits to ensure no other debug or diagnostic endpoints expose sensitive information. Monitor logs for unusual API requests that include the debug parameter. Additionally, implement database-level security controls such as least privilege for application database users and query parameterization to reduce SQL injection risks. Regularly review and update security policies around application debugging features in production environments.