Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOIN relationships, WHERE conditions (revealing access control logic), and multi-tenant space IDs. This parameter works even when Django's `DEBUG=False` (production mode) and is accessible to any authenticated user regardless of their privilege level. This allows a low-privilege attacker to map the entire database schema and reverse-engineer the authorization model. Version 2.6.0 patches the issue.
PUBLISHED5.2CWE-89
Tandoor Recipes's Unauthenticated Debug Parameter Leaks Full Raw SQL Queries Including Schema, Table Names, and Access Control Logic
Problem type
Affected products
TandoorRecipes
recipes
< 2.6.0 - AFFECTED
References
https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf
https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf
https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0
https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-33153Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-33153",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-03-26T19:52:10.149Z",
"dateReserved": "2026-03-17T21:17:08.886Z",
"datePublished": "2026-03-26T19:06:16.020Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-03-26T19:06:16.020Z"
},
"title": "Tandoor Recipes's Unauthenticated Debug Parameter Leaks Full Raw SQL Queries Including Schema, Table Names, and Access Control Logic",
"descriptions": [
{
"lang": "en",
"value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOIN relationships, WHERE conditions (revealing access control logic), and multi-tenant space IDs. This parameter works even when Django's `DEBUG=False` (production mode) and is accessible to any authenticated user regardless of their privilege level. This allows a low-privilege attacker to map the entire database schema and reverse-engineer the authorization model. Version 2.6.0 patches the issue."
}
],
"affected": [
{
"vendor": "TandoorRecipes",
"product": "recipes",
"versions": [
{
"version": "< 2.6.0",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
"cweId": "CWE-89",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf",
"name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-f83r-v3h5-pchf",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0",
"name": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-03-26T19:52:10.149Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}