Executive Summary

CVE-2026-33152 is a critical vulnerability in Tandoor Recipes versions prior to 2.6.0 involving the use of Basic Authentication in the Django REST Framework API without any rate limiting or account lockout protections.

While the HTML login endpoint enforces rate limiting (5 login attempts per minute per IP), this protection does not apply to API endpoints that accept Authorization: Basic headers.

As a result, attackers can perform unlimited, high-speed password guessing attacks (brute-force or dictionary attacks) against any known username via API endpoints without triggering lockouts or throttling.

This allows fully automated credential stuffing and brute-force attacks, making all user accounts vulnerable.

The vulnerability corresponds to CWE-307: Improper Restriction of Excessive Authentication Attempts and was fixed in version 2.6.0 by adding appropriate rate limiting or throttling to API authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to perform unlimited automated password guessing attacks against any known username on Tandoor Recipes API endpoints.

• Attackers can execute high-speed brute-force or dictionary attacks without any rate limiting or account lockout.
• Credential stuffing attacks using leaked credentials are possible.
• User accounts can be compromised due to the lack of throttling and lockout mechanisms.
• Confidentiality and integrity of user data are at high risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the API endpoints of Tandoor Recipes for Basic Authentication without rate limiting or account lockout.

A proof of concept involves sending multiple rapid authentication attempts with incorrect passwords to an API endpoint that accepts Authorization: Basic headers and observing the responses.

• Use curl or similar tools to send repeated requests with Basic Authentication headers to an API endpoint.
• Example command to test failed attempts (replace USERNAME, PASSWORD, and API_URL accordingly):
• for i in {1..20}; do curl -i -u USERNAME:PASSWORD -X GET https://API_URL/api/endpoint/; done

If all failed attempts return HTTP 403 without any HTTP 429 (Too Many Requests) or account lockout, it indicates no rate limiting is applied.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Tandoor Recipes to version 2.6.0 or later, where the vulnerability has been patched.

The patch presumably adds appropriate rate limiting or throttling to API authentication endpoints to prevent unlimited brute-force attempts.

If upgrading is not immediately possible, consider implementing additional rate limiting or throttling mechanisms on the API endpoints that accept Basic Authentication headers.

Also, monitor authentication attempts and consider blocking IPs with suspiciously high failed login rates.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to perform high-speed brute-force attacks on user accounts without any rate limiting or account lockout, potentially leading to unauthorized access to sensitive user data.

Such unauthorized access risks violating common standards and regulations like GDPR and HIPAA, which require protecting personal and sensitive information against unauthorized access and ensuring appropriate security controls are in place.

The lack of throttling or lockout mechanisms on API authentication endpoints increases the risk of credential stuffing and account compromise, which could lead to data breaches and non-compliance with these regulations.

Useful 0 Not Useful 0