CVE-2026-33152
Published: 26 March 2026
Summary
CVE-2026-33152 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Tandoor Recipes. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-7 mandates automated mechanisms to lock or disable accounts after a defined number of consecutive unsuccessful logon attempts, directly preventing high-speed brute-force password guessing on API endpoints.
CM-6 requires establishing and implementing secure configuration settings for Django REST Framework to disable BasicAuthentication without rate limiting or add appropriate protections on API endpoints.
SI-2 ensures timely identification, reporting, and remediation of flaws like CVE-2026-33152 by applying patches such as upgrading to Tandoor Recipes 2.6.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables unlimited password guessing via Basic auth on public API endpoints (T1110.001), facilitating exploitation of public-facing app (T1190) for account takeover and subsequent use of valid accounts (T1078).
NVD Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS:…
more
login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue.
Deeper analysisAI
CVE-2026-33152 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting Tandoor Recipes, an open-source application for managing recipes, planning meals, and building shopping lists, in versions prior to 2.6.0. The issue stems from the configuration of Django REST Framework, which includes BasicAuthentication as a default authentication backend without rate limiting on API endpoints. While the AllAuth rate limiting (ACCOUNT_RATE_LIMITS: login: 5/m/ip) protects the HTML-based login at /accounts/login/, it does not apply to API endpoints that accept authenticated requests via Authorization: Basic headers. This enables unlimited password guessing attempts with no account lockout, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts).
Any remote attacker without privileges can exploit this vulnerability by targeting API endpoints with high-speed brute-force attacks using known usernames and Authorization: Basic headers. Successful exploitation allows account takeover, potentially granting full access to user data, recipes, meal plans, and shopping lists, with high impacts on confidentiality and integrity.
The vulnerability is patched in Tandoor Recipes version 2.6.0, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to 2.6.0 or later and review custom configurations for similar misconfigurations in Django REST Framework deployments. Relevant resources include the GitHub release at https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0 and the advisory at https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-7m7c-jjqc-r522.
Details
- CWE(s)