CVE-2026-33153— Tandoor Recipes SQL注入漏洞

Tandoor Recipes's Unauthenticated Debug Parameter Leaks Full Raw SQL Queries Including Schema, Table Names, and Access Control Logic

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the Recipe API endpoint exposes a hidden `?debug=true` query parameter that returns the complete raw SQL query being executed, including all table names, column names, JOIN relationships, WHERE conditions (revealing access control logic), and multi-tenant space IDs. This parameter works even when Django's `DEBUG=False` (production mode) and is accessible to any authenticated user regardless of their privilege level. This allows a low-privilege attacker to map the entire database schema and reverse-engineer the authorization model. Version 2.6.0 patches the issue.

N/A

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

Tandoor Recipes SQL注入漏洞

Tandoor Recipes是Tandoor Recipes开源的一个用于管理食谱、计划膳食、建立购物清单等等的应用程序。 Tandoor Recipes 2.6.0之前版本存在SQL注入漏洞，该漏洞源于Recipe API端点暴露了一个隐藏的debug查询参数，可能导致低权限攻击者映射整个数据库架构并逆向工程授权模型。

N/A

N/A