CVE-2026-29055
Received Received - Intake
EXIF Data Exposure in Tandoor Recipes via WebP Uploads

Publication date: 2026-03-26

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the image processing pipeline in Tandoor Recipes explicitly skips EXIF metadata stripping, image rescaling, and size validation for WebP and GIF image formats. A developer TODO comment in the source code acknowledges this as a known issue. As a result, when users upload recipe photos in WebP format (the default format for modern smartphone cameras), their sensitive EXIF data β€” including GPS coordinates, camera model, timestamps, and software information β€” is stored and served to all users who can view the recipe. Version 2.6.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-29055
EUVD
EUVD-2026-16297
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tandoor recipes to 2.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1230 The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29055 is a vulnerability in the Tandoor Recipes application (versions prior to 2.6.0) related to how it processes image uploads, specifically WebP and GIF formats.

The application skips important processing steps such as stripping EXIF metadata, image rescaling, and size validation for these image types. As a result, sensitive EXIF metadata embedded in uploaded WebP imagesβ€”like GPS coordinates, camera model, timestamps, and software informationβ€”is stored and served to all users who can view the recipe images.

This happens because the image processing function returns the raw uploaded image for WebP and GIF formats without any modification, unlike JPEG and PNG images which are properly processed.

Impact Analysis

This vulnerability can lead to a privacy breach by exposing sensitive EXIF metadata to any user who can view the uploaded recipe images.

  • Leakage of GPS coordinates, potentially revealing exact photo locations such as home or workplace.
  • Device fingerprinting through camera make and model information.
  • Reconstruction of user activity timelines using timestamps embedded in the images.
  • Operating system fingerprinting from software version tags.
  • Potential thumbnail leakage even if users crop images.
Compliance Impact

The vulnerability may cause violations of privacy regulations such as GDPR and CCPA due to the unauthorized retention and exposure of personal data embedded in EXIF metadata.

Since sensitive personal information like location data and device identifiers is exposed without user consent or proper safeguards, affected organizations could face compliance issues under these regulations.

Detection Guidance

This vulnerability can be detected by inspecting uploaded WebP or GIF images in the Tandoor Recipes application to check if they contain EXIF metadata such as GPS coordinates, camera model, timestamps, or software information.

One approach is to download images uploaded to the system and analyze their metadata using image processing tools or libraries that can read EXIF data.

For example, you can use the command-line tool 'exiftool' to inspect images for embedded metadata:

  • exiftool image.webp
  • exiftool image.gif

If these commands reveal GPS coordinates, camera details, or timestamps, it indicates the vulnerability is present and EXIF data is not being stripped.

Mitigation Strategies

The immediate mitigation step is to upgrade the Tandoor Recipes application to version 2.6.0 or later, where the vulnerability has been fixed by implementing proper EXIF metadata stripping and image validation for WebP and GIF formats.

Until the upgrade is applied, avoid accepting WebP and GIF image uploads or manually strip EXIF metadata from these images before uploading them.

You can use tools like 'exiftool' to remove metadata from images before upload:

  • exiftool -all= image.webp
  • exiftool -all= image.gif

Additionally, review and restrict image upload formats or implement server-side image processing to ensure metadata is stripped.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29055. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart