Is Python affected by CVE-2026-33149?

Tandoor Recipes versions through 2.5.3 contain a host header validation flaw that allows authenticated administrators to be socially engineered into distributing invite tokens to attacker-controlled servers, compromising user onboarding security and potentially exposing sensitive invitation data.

CVE-2026-33149

EUVD-2026-16313 HIGH

2026-03-26 GitHub_M

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 26, 2026 - 19:16 euvd

EUVD-2026-16313

Analysis Generated

Mar 26, 2026 - 19:16 vuln.today

CVE Published

Mar 26, 2026 - 18:53 nvd

HIGH 8.1

Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.build_absolute_uri() to generate absolute URLs in multiple contexts, including invite link emails, API pagination, and OpenAPI schema generation. An attacker who can send requests to the application with a crafted Host header can manipulate all server-generated absolute URLs. The most critical impact is invite link poisoning: when an admin creates an invite and the application sends the invite email, the link points to the attacker's server instead of the real application. When the victim clicks the link, the invite token is sent to the attacker, who can then use it at the real application. As of time of publication, it is unknown if a patched version is available.

Analysis

Tandoor Recipes versions through 2.5.3 permit Host header injection attacks that enable invite link poisoning, allowing authenticated administrators with high privileges to be social-engineered into sending system-generated invite tokens to attacker-controlled servers. The Django application's default ALLOWED_HOSTS='*' configuration fails to validate HTTP Host headers, which combined with request.build_absolute_uri() usage allows manipulation of all absolute URLs including invite emails, API pagination, and OpenAPI schemas. …

Remediation

Within 24 hours: Audit ALLOWED_HOSTS configuration in all Tandoor Recipes deployments and restrict to explicit, trusted hostnames (remove wildcard '*' setting); document current administrator activity and any unusual invite link activity. Within 7 days: Review recent invite email logs for any unintended recipient domains; communicate security advisory to all administrative users with training on host header manipulation social engineering. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +40

POC: 0

CVE-2026-33149 vulnerability details – vuln.today

Back

CVE-2026-33149

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-33149

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code