CVE-2026-29055
EXIF Data Exposure in Tandoor Recipes via WebP Uploads
Publication date: 2026-03-26
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tandoor | recipes | to 2.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1230 | The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29055 is a vulnerability in the Tandoor Recipes application (versions prior to 2.6.0) related to how it processes image uploads, specifically WebP and GIF formats.
The application skips important processing steps such as stripping EXIF metadata, image rescaling, and size validation for these image types. As a result, sensitive EXIF metadata embedded in uploaded WebP imagesβlike GPS coordinates, camera model, timestamps, and software informationβis stored and served to all users who can view the recipe images.
This happens because the image processing function returns the raw uploaded image for WebP and GIF formats without any modification, unlike JPEG and PNG images which are properly processed.
How can this vulnerability impact me? :
This vulnerability can lead to a privacy breach by exposing sensitive EXIF metadata to any user who can view the uploaded recipe images.
- Leakage of GPS coordinates, potentially revealing exact photo locations such as home or workplace.
- Device fingerprinting through camera make and model information.
- Reconstruction of user activity timelines using timestamps embedded in the images.
- Operating system fingerprinting from software version tags.
- Potential thumbnail leakage even if users crop images.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability may cause violations of privacy regulations such as GDPR and CCPA due to the unauthorized retention and exposure of personal data embedded in EXIF metadata.
Since sensitive personal information like location data and device identifiers is exposed without user consent or proper safeguards, affected organizations could face compliance issues under these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting uploaded WebP or GIF images in the Tandoor Recipes application to check if they contain EXIF metadata such as GPS coordinates, camera model, timestamps, or software information.
One approach is to download images uploaded to the system and analyze their metadata using image processing tools or libraries that can read EXIF data.
For example, you can use the command-line tool 'exiftool' to inspect images for embedded metadata:
- exiftool image.webp
- exiftool image.gif
If these commands reveal GPS coordinates, camera details, or timestamps, it indicates the vulnerability is present and EXIF data is not being stripped.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Tandoor Recipes application to version 2.6.0 or later, where the vulnerability has been fixed by implementing proper EXIF metadata stripping and image validation for WebP and GIF formats.
Until the upgrade is applied, avoid accepting WebP and GIF image uploads or manually strip EXIF metadata from these images before uploading them.
You can use tools like 'exiftool' to remove metadata from images before upload:
- exiftool -all= image.webp
- exiftool -all= image.gif
Additionally, review and restrict image upload formats or implement server-side image processing to ensure metadata is stripped.