CVE-2026-25964
Awaiting Analysis Awaiting Analysis - Queue
Path Traversal in Tandoor Recipes Allows Arbitrary File Access

Publication date: 2026-02-13

Last updated on: 2026-02-17

Assigner: GitHub, Inc.

Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the server. This vulnerability stems from a lack of input validation in the file_path parameter and insufficient checks in the Local storage backend, enabling an attacker to bypass storage directory restrictions and access sensitive system files (e.g., /etc/passwd) or application configuration files (e.g., settings.py), potentially leading to full system compromise. This vulnerability is fixed in 2.5.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-13
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-02-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25964
EUVD
EUVD-2026-5929
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tandoor recipes to 2.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25964 is a Path Traversal vulnerability in the Tandoor Recipes application, specifically in the RecipeImport workflow. It allows authenticated users with import permissions to read arbitrary files on the server by exploiting insufficient input validation on the file_path parameter and inadequate checks in the Local storage backend.

The vulnerability arises because the application does not properly restrict file access, enabling attackers to bypass storage directory restrictions and access sensitive system files such as /etc/passwd or application configuration files like settings.py.

The attack involves creating a malicious import object with a crafted file_path, triggering the import process to persist this path, and then downloading the arbitrary file content.

This flaw was fixed in version 2.5.1 by introducing strict path validation that ensures file operations only occur within explicitly allowed directories.

Impact Analysis

This vulnerability can have several impacts if exploited:

  • Unauthorized disclosure of sensitive system files such as /etc/passwd, which can lead to user enumeration.
  • Exposure of application secrets by accessing configuration files like settings.py or .env, potentially revealing SECRET_KEY, database credentials, and other sensitive data.
  • Source code exposure, which can aid attackers in understanding the application internals and facilitate further attacks.
  • Potential full system compromise due to the sensitive information disclosed.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious API requests to the Tandoor Recipes application, specifically targeting the RecipeImport workflow endpoints such as `/api/recipe-import/`, `/api/recipe-import/<IMPORT_ID>/import_recipe/`, and `/api/get_recipe_file/<RECIPE_ID>/`.'}, {'type': 'paragraph', 'content': 'Look for authenticated user requests that include unusual or absolute file paths in the `file_path` parameter, such as paths pointing to system files like `/etc/passwd` or application configuration files like `settings.py`.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using web server logs (e.g., nginx or Apache) to grep for suspicious API calls with path traversal patterns:'}, {'type': 'list_item', 'content': " `grep -E '/api/recipe-import/.*file_path=.*(/etc/passwd|\\.\\./|/root/|/usr/)' /var/log/nginx/access.log`"}, {'type': 'list_item', 'content': 'Using application logs to identify exceptions or errors related to path validation failures, such as messages containing "Path not allowed".'}, {'type': 'list_item', 'content': 'If you have access to the application database, query for RecipeImport or Recipe objects with suspicious `file_path` values outside the allowed directories.'}] [2, 1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Tandoor Recipes application to version 2.5.1 or later, where this vulnerability is fixed by enforcing strict path validation and restricting file operations to allowed directories.

If upgrading immediately is not possible, consider the following temporary mitigations:

  • Restrict access to the RecipeImport API endpoints to only trusted and necessary users with import permissions.
  • Implement network-level controls such as firewall rules or API gateway filters to block requests containing suspicious file paths or path traversal patterns.
  • Review and tighten the `LOCAL_STORAGE_PATHS` configuration to limit file operations strictly to safe directories.
  • Monitor logs for exploitation attempts and respond promptly to any detected suspicious activity.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25964. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart