CVE-2026-23838
Published: 19 January 2026
Summary
CVE-2026-23838 is a high-severity Insertion of Sensitive Information into Externally-Accessible File or Directory (CWE-538) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 31.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3303
Vulnerability details
Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full…
more
database file may be externally accessible, potentially on the Internet. The root cause is that the NixOS module configures the working directory of Tandoor Recipes, as well as the value of `MEDIA_ROOT`, to be `/var/lib/tandoor-recipes`. This causes Tandoor Recipes to create its `db.sqlite3` database file in the same directory as `MEDIA_ROOT` causing it to be accessible without authentication through HTTP like any other media file. This is the case when using `GUNICORN_MEDIA=1` or when using a web server like nginx to serve media files. NixOS 26.05 changes the default value of `MEDIA_ROOT` to a sub folder of the data directory. This only applies to configurations with `system.stateVersion` >= 26.05. For older configurations, one of the workarounds should be applied instead. NixOS 25.11 has received a backport of this patch, though it doesn't fix this vulnerability without user intervention. A recommended workaround is to move `MEDIA_ROOT` into a subdirectory. Non-recommended workarounds include switching to PostgreSQL or disallowing access to `db.sqlite3`.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability exposes SQLite DB file (containing credentials/user data) via unauthenticated HTTP due to misconfigured MEDIA_ROOT, directly enabling access to unsecured credentials in files.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Pre- and post-publication reviews prevent insertion of sensitive information into externally-accessible public locations.
Monitors for sensitive information placed in externally accessible files or directories.
The map shows if data actions result in sensitive information being placed in externally accessible locations.
Isolation and eradication reduce the ability to exploit sensitive information inserted into externally-accessible files or directories.
Approved categorization forces identification of externally accessible files that contain sensitive content so they receive proper protection.
The pre-implementation review identifies externally accessible files or directories containing PII and drives access restrictions or removal.
Tainting makes it possible to determine when sensitive data has been removed from externally accessible files or directories.
OPSEC practices stop placement of supply-chain information into locations accessible to external parties.