Home / Vulnerability Intelligence / CVE-2026-33152

CVE-2026-33152 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 26, 2026

Tandoor Recipes - Authentication Bypass

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

Tandoor Recipes < 2.6.0 contains a broken authentication caused by BasicAuthentication backend lacking rate limiting on API endpoints, letting attackers perform high-speed password guessing, exploit requires known usernames.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 6.3%(Probability of exploitation in next 30 days)

Impact

Attackers can perform unlimited password guessing on any username, potentially leading to account compromise.

Mitigation

Upgrade to version 2.6.0 or later.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Mar 26, 2026

🔴 CVE-2026-33152 - Critical (9.1) Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backend... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33152/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Offensive Sequence

@offseq

Mar 26, 2026

⚠️ CVE-2026-33152: TandoorRecipes < 2.6.0 suffers CRITICAL vuln (CVSS 9.1). No rate limiting on API BasicAuth enables unlimited password guessing. Patch to 2.6.0 now! https://radar.offseq.com/threat/cve-2026-33152-cwe-307-improper-restriction-of-exc-e7cae15a #OffSeq #Vulnerability #TandoorRecipes #APIsecurity

View original post

Related Resources

Details

CVE ID: CVE-2026-33152
Severity: Critical
CVSS Score: 9.1
Type: broken_authentication
Status: new
EPSS: 6.3%
Social Posts: 2

CWE

CWE-307

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

6.3%Probability of exploitation in the next 30 days