Can you explain this vulnerability to me?

CVE-2026-23838 is a high-severity vulnerability in the NixOS Tandoor Recipes module affecting versions 23.05 through 25.11. The vulnerability arises because the SQLite database file (db.sqlite3) is stored in the same directory as the media files (MEDIA_ROOT), which is by default /var/lib/tandoor-recipes. Since this directory is served over HTTP as media files (e.g., via GUNICORN_MEDIA=1 or nginx), the database file becomes accessible externally without authentication. This exposure allows unauthorized users to access sensitive data stored in the database. The root cause is the default configuration that sets MEDIA_ROOT and the working directory to the same path, causing the database file to be served as a media file. The vulnerability is fixed in version 26.05 by changing MEDIA_ROOT to a subdirectory, isolating the database from publicly accessible media files. [1, 3, 4]

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability exposes the SQLite database file containing potentially sensitive information to unauthorized external access via HTTP without authentication. Such exposure can lead to unauthorized disclosure of personal or sensitive data, which may violate data protection regulations and standards like GDPR and HIPAA that require safeguarding personal and sensitive information against unauthorized access. Therefore, the vulnerability negatively impacts compliance by risking data confidentiality and potentially leading to breaches of regulatory requirements for data protection. [1, 3]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to unauthorized external access to the full SQLite database file of Tandoor Recipes, exposing all stored data without any authentication. Since the database may contain sensitive user information, recipes, and other private data, an attacker could retrieve this information simply by accessing the media URL serving the database file. This compromises confidentiality and could lead to data breaches, privacy violations, and potential misuse of the exposed data. The vulnerability requires no privileges or user interaction to exploit and can be triggered remotely over the network. [1, 3]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the SQLite database file (db.sqlite3) is accessible via HTTP on the server hosting Tandoor Recipes. For example, you can use a command like `curl -I http://<server-address>/db.sqlite3` to see if the database file is served without authentication. A 200 OK response with a content type such as `application/vnd.sqlite3` indicates exposure. Additionally, inspecting the MEDIA_ROOT configuration to see if it points to the same directory as the database file (/var/lib/tandoor-recipes) can help identify vulnerable setups. [3]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1. Stop the Tandoor Recipes service. 2. Create a subdirectory within the data directory for media files, for example `/var/lib/tandoor-recipes/media`. 3. Move existing media files into this new subdirectory. 4. Update the NixOS configuration to set `MEDIA_ROOT` to this subdirectory (e.g., `services.tandoor-recipes.extraConfig.MEDIA_ROOT`). 5. Adjust any web server or reverse proxy configurations (such as nginx) to serve media files from the new subdirectory or to explicitly deny access to `db.sqlite3`. 6. Rebuild and restart the Tandoor Recipes service. Alternative mitigations include switching to PostgreSQL as the database backend or configuring the web server to deny access to the database file, but these are less recommended and not future-proof. [1, 2, 4]

Useful 0 Not Useful 0