EUVD-2026-16315CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration (ACCOUNT_RATE_LIMITS: login: 5/m/ip) only applies to the HTML-based login endpoint at /accounts/login/. Any API endpoint that accepts authenticated requests can be targeted via Authorization: Basic headers with zero rate limiting, zero account lockout, and unlimited attempts. An attacker can perform high-speed password guessing against any known username. Version 2.6.0 patches the issue.
Analysis
Tandoor Recipes versions prior to 2.6.0 allow unlimited brute-force password guessing attacks against any known username through API endpoints accepting BasicAuthentication headers. While Django AllAuth rate limiting protects the HTML login form (5 attempts per minute per IP), API endpoints completely bypass these controls, enabling high-speed credential stuffing with no account lockout. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all instances of Tandoor Recipes in production and verify version numbers; immediately restrict API endpoint access through network controls (see compensating controls). Within 7 days: Evaluate upgrade to version 2.6.0 or later in a staging environment; review API access logs for anomalous authentication patterns. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today