CVE-2026-33148
URL Parameter Injection in Tandoor Recipes Causes DoS
Publication date: 2026-03-26
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tandoor | recipes | to 2.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-33148 is a vulnerability in the Tandoor Recipes application affecting the FDC (USDA FoodData Central) Food Search API in versions prior to 2.6.0. The issue occurs because the API endpoint constructs an upstream API URL by directly inserting user-supplied query parameters into the URL string without proper URL encoding.
This allows an attacker to inject additional URL parameters by including '&' characters in the query value. For example, an attacker can add their own API key or manipulate query parameters, which can cause server crashes (HTTP 500 errors) and other unexpected behaviors.
The vulnerability enables denial of service through server crashes, exposure and override of the legitimate API key, and manipulation of the upstream USDA API query behavior.
How can this vulnerability impact me? :
This vulnerability can impact you by causing denial of service conditions where the server crashes and becomes unavailable due to malformed requests with injected parameters.
Additionally, attackers can override the server's API key with their own, potentially abusing the upstream USDA API service under your account, which could lead to unexpected charges or rate limiting.
The legitimate API key is also exposed in URLs, logs, and caches, increasing the risk of key leakage and unauthorized use.
Manipulation of upstream query parameters can alter the behavior of the API responses, potentially affecting the integrity of the data your application receives.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for malformed requests to the FDC (USDA FoodData Central) search endpoint that include injected URL parameters via the `query` parameter. Specifically, look for requests where the `query` parameter contains `&` characters that inject additional parameters such as `api_key`.
One way to test for this vulnerability is to send crafted requests that include injected parameters and observe if the server crashes with HTTP 500 errors or if the API key is overridden.
Example commands to test this using curl include:
- curl -v 'https://your-tandoor-instance/api/food/search?query=test&api_key=INJECTED'
- curl -v 'https://your-tandoor-instance/api/food/search?query=test%26api_key%3DINJECTED'
Observe if the server returns HTTP 500 errors or if the response behavior changes, indicating successful injection.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Tandoor Recipes to version 2.6.0 or later, where this vulnerability has been patched by implementing proper URL encoding and input validation for the `query` parameter.
Until the upgrade can be performed, consider implementing input validation or filtering on the `query` parameter to disallow `&` characters or other special characters that could be used for parameter injection.
Additionally, monitor server logs for unusual or malformed requests and consider rate limiting or blocking suspicious requests to reduce the risk of denial of service.