CVE-2026-33148
Received Received - Intake
URL Parameter Injection in Tandoor Recipes Causes DoS

Publication date: 2026-03-26

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC (USDA FoodData Central) search endpoint constructs an upstream API URL by directly interpolating the user-supplied `query` parameter into the URL string without URL-encoding. An attacker can inject additional URL parameters by including `&` characters in the query value. This allows overriding the API key, manipulating upstream query behavior, and causing server crashes (HTTP 500) via malformed requests β€” a Denial of Service condition. Version 2.6.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33148
EUVD
EUVD-2026-16311
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tandoor recipes to 2.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33148 is a vulnerability in the Tandoor Recipes application affecting the FDC (USDA FoodData Central) Food Search API in versions prior to 2.6.0. The issue occurs because the API endpoint constructs an upstream API URL by directly inserting user-supplied query parameters into the URL string without proper URL encoding.

This allows an attacker to inject additional URL parameters by including '&' characters in the query value. For example, an attacker can add their own API key or manipulate query parameters, which can cause server crashes (HTTP 500 errors) and other unexpected behaviors.

The vulnerability enables denial of service through server crashes, exposure and override of the legitimate API key, and manipulation of the upstream USDA API query behavior.

Impact Analysis

This vulnerability can impact you by causing denial of service conditions where the server crashes and becomes unavailable due to malformed requests with injected parameters.

Additionally, attackers can override the server's API key with their own, potentially abusing the upstream USDA API service under your account, which could lead to unexpected charges or rate limiting.

The legitimate API key is also exposed in URLs, logs, and caches, increasing the risk of key leakage and unauthorized use.

Manipulation of upstream query parameters can alter the behavior of the API responses, potentially affecting the integrity of the data your application receives.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for malformed requests to the FDC (USDA FoodData Central) search endpoint that include injected URL parameters via the `query` parameter. Specifically, look for requests where the `query` parameter contains `&` characters that inject additional parameters such as `api_key`.

One way to test for this vulnerability is to send crafted requests that include injected parameters and observe if the server crashes with HTTP 500 errors or if the API key is overridden.

Example commands to test this using curl include:

  • curl -v 'https://your-tandoor-instance/api/food/search?query=test&api_key=INJECTED'
  • curl -v 'https://your-tandoor-instance/api/food/search?query=test%26api_key%3DINJECTED'

Observe if the server returns HTTP 500 errors or if the response behavior changes, indicating successful injection.

Mitigation Strategies

The immediate mitigation step is to upgrade Tandoor Recipes to version 2.6.0 or later, where this vulnerability has been patched by implementing proper URL encoding and input validation for the `query` parameter.

Until the upgrade can be performed, consider implementing input validation or filtering on the `query` parameter to disallow `&` characters or other special characters that could be used for parameter injection.

Additionally, monitor server logs for unusual or malformed requests and consider rate limiting or blocking suspicious requests to reduce the risk of denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33148. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart