CVE-2026-25991
Published: 13 February 2026
Summary
CVE-2026-25991 is a high-severity SSRF (CWE-918) vulnerability in Tandoor Recipes. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of URL inputs in the Cookmate recipe import feature to block malicious destinations after HTTP redirects, addressing the core SSRF vulnerability.
Mandates timely flaw remediation by upgrading to Tandoor Recipes 2.5.1, which patches the SSRF issue in cookbook/integration/cookmate.py.
Implements boundary protection to restrict and monitor server outbound connections, mitigating SSRF impacts like internal port scanning or cloud metadata access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Blind SSRF directly enables internal network port scanning (T1046) and access to cloud instance metadata APIs (T1522) as explicitly described.
NVD Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, there is a Blind Server-Side Request Forgery (SSRF) vulnerability in the Cookmate recipe import feature of Tandoor Recipes. The application fails to validate…
more
the destination URL after following HTTP redirects, allowing any authenticated user (including standard users without administrative privileges) to force the server to connect to arbitrary internal or external resources. The vulnerability lies in cookbook/integration/cookmate.py, within the Cookmate integration class. This vulnerability can be leveraged to scan internal network ports, access cloud instance metadata (e.g., AWS/GCP Metadata Service), or disclose the server's real IP address. This vulnerability is fixed in 2.5.1.
Deeper analysisAI
CVE-2026-25991 is a Blind Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting Tandoor Recipes, an open-source application for managing recipes, planning meals, and building shopping lists, in versions prior to 2.5.1. The issue resides in the Cookmate recipe import feature, specifically within the cookbook/integration/cookmate.py file in the Cookmate integration class. The application does not properly validate destination URLs after following HTTP redirects, enabling unauthorized server-side requests. It has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
Any authenticated user, including standard users without administrative privileges, can exploit this vulnerability by importing a recipe via the Cookmate feature with a malicious URL that triggers redirects to arbitrary internal or external resources. Attackers can force the server to connect to these destinations, allowing them to scan internal network ports, access cloud instance metadata services such as AWS or GCP Metadata Service, or disclose the server's real IP address.
The vulnerability is fixed in Tandoor Recipes version 2.5.1, as detailed in the project's security advisory (GHSA-j6xg-85mh-qqf7), release notes, and the patching commit (fdf22c5e745740db1fec29d6b4bd3df5d340e6ab). Security practitioners should upgrade to 2.5.1 or later and review access to the Cookmate import functionality.
Details
- CWE(s)