CVE-2026-25964
Path Traversal in Tandoor Recipes Allows Arbitrary File Access
Publication date: 2026-02-13
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tandoor | recipes | to 2.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25964 is a Path Traversal vulnerability in the Tandoor Recipes application, specifically in the RecipeImport workflow. It allows authenticated users with import permissions to read arbitrary files on the server by exploiting insufficient input validation on the file_path parameter and inadequate checks in the Local storage backend.
The vulnerability arises because the application does not properly restrict file access, enabling attackers to bypass storage directory restrictions and access sensitive system files such as /etc/passwd or application configuration files like settings.py.
The attack involves creating a malicious import object with a crafted file_path, triggering the import process to persist this path, and then downloading the arbitrary file content.
This flaw was fixed in version 2.5.1 by introducing strict path validation that ensures file operations only occur within explicitly allowed directories.
How can this vulnerability impact me? :
This vulnerability can have several impacts if exploited:
- Unauthorized disclosure of sensitive system files such as /etc/passwd, which can lead to user enumeration.
- Exposure of application secrets by accessing configuration files like settings.py or .env, potentially revealing SECRET_KEY, database credentials, and other sensitive data.
- Source code exposure, which can aid attackers in understanding the application internals and facilitate further attacks.
- Potential full system compromise due to the sensitive information disclosed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious API requests to the Tandoor Recipes application, specifically targeting the RecipeImport workflow endpoints such as `/api/recipe-import/`, `/api/recipe-import/<IMPORT_ID>/import_recipe/`, and `/api/get_recipe_file/<RECIPE_ID>/`.'}, {'type': 'paragraph', 'content': 'Look for authenticated user requests that include unusual or absolute file paths in the `file_path` parameter, such as paths pointing to system files like `/etc/passwd` or application configuration files like `settings.py`.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using web server logs (e.g., nginx or Apache) to grep for suspicious API calls with path traversal patterns:'}, {'type': 'list_item', 'content': " `grep -E '/api/recipe-import/.*file_path=.*(/etc/passwd|\\.\\./|/root/|/usr/)' /var/log/nginx/access.log`"}, {'type': 'list_item', 'content': 'Using application logs to identify exceptions or errors related to path validation failures, such as messages containing "Path not allowed".'}, {'type': 'list_item', 'content': 'If you have access to the application database, query for RecipeImport or Recipe objects with suspicious `file_path` values outside the allowed directories.'}] [2, 1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Tandoor Recipes application to version 2.5.1 or later, where this vulnerability is fixed by enforcing strict path validation and restricting file operations to allowed directories.
If upgrading immediately is not possible, consider the following temporary mitigations:
- Restrict access to the RecipeImport API endpoints to only trusted and necessary users with import permissions.
- Implement network-level controls such as firewall rules or API gateway filters to block requests containing suspicious file paths or path traversal patterns.
- Review and tighten the `LOCAL_STORAGE_PATHS` configuration to limit file operations strictly to safe directories.
- Monitor logs for exploitation attempts and respond promptly to any detected suspicious activity.