Can you explain this vulnerability to me?

CVE-2026-33153 is an information disclosure vulnerability in Tandoor Recipes versions prior to 2.6.0. The Recipe API endpoint exposes a hidden query parameter `?debug=true` that returns the complete raw SQL query executed by the backend. This includes detailed schema information such as table names, column names, JOIN relationships, WHERE conditions revealing access control logic, and multi-tenant space IDs.

This debug parameter works even when Django's DEBUG setting is set to False (production mode) and is accessible to any authenticated user regardless of their privilege level. This means a low-privilege attacker can use this parameter to map the entire database schema and reverse-engineer the authorization model.

The vulnerability arises because the code checks for the presence of the debug parameter but does not verify if debugging is enabled, nor does it check user privileges or implement rate limiting or audit logging. The issue was fixed in version 2.6.0 by removing or restricting this debug parameter exposure.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows any authenticated user, including those with low privileges, to obtain the full database schema and understand the authorization logic of the application.

• Attackers can map table names, column names, JOIN relationships, and access control conditions.
• It enables attackers to identify multi-tenant boundaries, which can facilitate cross-tenant attacks.
• The exposed information can be used to craft targeted SQL injection attacks against other vulnerabilities.
• There is a significant risk to data confidentiality and system security due to this information disclosure.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The exposure of the complete database schema, including access control logic and multi-tenant identifiers, can lead to potential violations of data protection and compliance requirements such as GDPR and HIPAA.

By revealing sensitive internal details of the database and authorization mechanisms, this vulnerability increases the risk of unauthorized data access or breaches, which are critical concerns under these regulations.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending an authenticated GET request to the Recipe API endpoint with the hidden query parameter `?debug=true`. If the response contains the full raw SQL query executed by the backend, including table names, column names, JOIN relationships, WHERE conditions, and multi-tenant space IDs, then the system is vulnerable.

A sample command to test this is to first authenticate as any user to obtain a bearer token, then send a GET request like the following:

• curl -H "Authorization: Bearer <token>" "https://<your-tandoor-instance>/api/recipe/?debug=true&format=json"

If the response JSON contains the raw SQL query string, the vulnerability is present.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Tandoor Recipes to version 2.6.0 or later, where this vulnerability has been patched by removing or restricting the debug parameter exposure.

Until the upgrade can be performed, restrict access to the Recipe API endpoint to trusted users only and monitor API usage for suspicious requests containing the `?debug=true` parameter.

Additionally, review and tighten authentication and authorization controls to limit access to authenticated users and consider implementing rate limiting and audit logging to detect exploitation attempts.

Useful 0 Not Useful 0