Executive Summary

CVE-2026-27460 is a Denial of Service (DoS) vulnerability in the Tandoor Recipes application versions prior to 2.6.5, specifically in the recipe import functionality.

The vulnerability occurs because the application extracts files from uploaded ZIP archives directly into memory without validating the uncompressed size, allowing an authenticated user to upload a specially crafted ZIP bomb.

A ZIP bomb is a small compressed file that decompresses into an extremely large payload, causing excessive memory consumption.

This can cause the server process to spike memory usage dramatically, exhausting system resources, degrading performance, or causing the operating system to terminate the application process, resulting in a denial of service.

• Requires only an authenticated user account with file upload capability.
• No file size or decompressed size validation is performed on ZIP uploads.
• The compression ratio exploited can exceed 1,000:1, turning a small upload (~20MB) into tens of gigabytes in memory.
• The vulnerability was fixed in version 2.6.5 by adding validation or limiting decompression size.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusually high memory usage spikes on the server process handling recipe imports, especially Gunicorn worker processes running inside Docker containers.

Since the attack involves uploading a specially crafted ZIP file (ZIP bomb) to the /recipe/import endpoint, detection can include inspecting incoming file uploads for unusually high compression ratios or large decompressed sizes.

Commands to help detect this condition include monitoring memory usage of the application process, for example:

• Use `top` or `htop` to observe memory consumption spikes of Gunicorn worker processes.
• Use `docker stats <container_id>` to monitor container memory usage in real time.
• Use `ps aux --sort=-%mem | head` to identify processes consuming the most memory.

Additionally, inspecting web server or application logs for repeated large file uploads to the /recipe/import endpoint by authenticated users may help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Tandoor Recipes to version 2.6.5 or later, where this vulnerability has been fixed by adding validation or limiting decompression size to prevent resource exhaustion.

Until the upgrade can be performed, consider implementing the following temporary mitigations:

• Restrict or disable the recipe import functionality for authenticated users if possible.
• Implement network-level controls such as rate limiting or file size restrictions on uploads to the /recipe/import endpoint.
• Monitor system memory usage closely and configure alerts for abnormal spikes.
• Use web application firewall (WAF) rules to detect and block suspicious ZIP file uploads with unusually high compression ratios.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can severely impact the availability and performance of the Tandoor Recipes server.

An attacker with a standard authenticated user account can upload a malicious ZIP bomb that causes excessive memory consumption, leading to resource exhaustion.

The consequences include severe performance degradation, potential swapping, or the operating system's Out of Memory (OOM) killer terminating the application process.

This results in a denial of service, making the application unavailable to legitimate users.

Useful 0 Not Useful 0