LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-33152

CVE-2026-33152 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 26, 2026

Tandoor Recipes - Authentication Bypass

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

Tandoor Recipes < 2.6.0 contains a broken authentication caused by BasicAuthentication backend lacking rate limiting on API endpoints, letting attackers perform high-speed password guessing, exploit requires known usernames.

Severity & Score

Severity: Critical
CVSS Score: 9.1
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can perform unlimited password guessing on any username, potentially leading to account compromise.

Mitigation

Upgrade to version 2.6.0 or later.

References

Social Media Activity(2 posts)

Offensive Sequence
Offensive Sequence
@offseq
Mar 26, 2026

⚠️ CVE-2026-33152: TandoorRecipes < 2.6.0 suffers CRITICAL vuln (CVSS 9.1). No rate limiting on API BasicAuth enables unlimited password guessing. Patch to 2.6.0 now! https://radar.offseq.com/threat/cve-2026-33152-cwe-307-improper-restriction-of-exc-e7cae15a #OffSeq #Vulnerability #TandoorRecipes #APIsecurity

View original post
Offensive Sequence
Offensive Sequence
@offseq
Mar 26, 2026

⚠️ CVE-2026-33152: TandoorRecipes < 2.6.0 suffers CRITICAL vuln (CVSS 9.1). No rate limiting on API BasicAuth enables unlimited password guessing. Patch to 2.6.0 now! https://radar.offseq.com/threat/cve-2026-33152-cwe-307-improper-restriction-of-exc-e7cae15a #OffSeq #Vulnerability #TandoorRecipes #APIsecurity

View original post

Related Resources

Details

CVE ID
CVE-2026-33152
Severity
Critical
CVSS Score
9.1
Type
broken_authentication
Status
new
EPSS
0.0%
Social Posts
2

CWE

  • CWE-307

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days