CVE-2026-33153
Received Received - Intake
Information Disclosure via Debug Parameter in Tandoor Recipes API

Publication date: 2026-03-26

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOIN relationships, WHERE conditions (revealing access control logic), and multi-tenant space IDs. This parameter works even when Django's `DEBUG=False` (production mode) and is accessible to any authenticated user regardless of their privilege level. This allows a low-privilege attacker to map the entire database schema and reverse-engineer the authorization model. Version 2.6.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33153
EUVD
EUVD-2026-16317
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tandoor recipes to 2.6.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33153 is an information disclosure vulnerability in Tandoor Recipes versions prior to 2.6.0. The Recipe API endpoint exposes a hidden query parameter `?debug=true` that returns the complete raw SQL query executed by the backend. This includes detailed schema information such as table names, column names, JOIN relationships, WHERE conditions revealing access control logic, and multi-tenant space IDs.

This debug parameter works even when Django's DEBUG setting is set to False (production mode) and is accessible to any authenticated user regardless of their privilege level. This means a low-privilege attacker can use this parameter to map the entire database schema and reverse-engineer the authorization model.

The vulnerability arises because the code checks for the presence of the debug parameter but does not verify if debugging is enabled, nor does it check user privileges or implement rate limiting or audit logging. The issue was fixed in version 2.6.0 by removing or restricting this debug parameter exposure.

Impact Analysis

This vulnerability allows any authenticated user, including those with low privileges, to obtain the full database schema and understand the authorization logic of the application.

  • Attackers can map table names, column names, JOIN relationships, and access control conditions.
  • It enables attackers to identify multi-tenant boundaries, which can facilitate cross-tenant attacks.
  • The exposed information can be used to craft targeted SQL injection attacks against other vulnerabilities.
  • There is a significant risk to data confidentiality and system security due to this information disclosure.
Compliance Impact

The exposure of the complete database schema, including access control logic and multi-tenant identifiers, can lead to potential violations of data protection and compliance requirements such as GDPR and HIPAA.

By revealing sensitive internal details of the database and authorization mechanisms, this vulnerability increases the risk of unauthorized data access or breaches, which are critical concerns under these regulations.

Detection Guidance

This vulnerability can be detected by sending an authenticated GET request to the Recipe API endpoint with the hidden query parameter `?debug=true`. If the response contains the full raw SQL query executed by the backend, including table names, column names, JOIN relationships, WHERE conditions, and multi-tenant space IDs, then the system is vulnerable.

A sample command to test this is to first authenticate as any user to obtain a bearer token, then send a GET request like the following:

  • curl -H "Authorization: Bearer <token>" "https://<your-tandoor-instance>/api/recipe/?debug=true&format=json"

If the response JSON contains the raw SQL query string, the vulnerability is present.

Mitigation Strategies

The immediate mitigation step is to upgrade Tandoor Recipes to version 2.6.0 or later, where this vulnerability has been patched by removing or restricting the debug parameter exposure.

Until the upgrade can be performed, restrict access to the Recipe API endpoint to trusted users only and monitor API usage for suspicious requests containing the `?debug=true` parameter.

Additionally, review and tighten authentication and authorization controls to limit access to authenticated users and consider implementing rate limiting and audit logging to detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33153. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart