CVE-2026-33149

HIGH

Tandoor Recipes Vulnerable to Host Header Injection

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-33149. PoCs published by adminlove520, FilipeGaudard.

AI-analyzed exploit summary The repository contains a functional PoC for CVE-2026-33149, demonstrating a Host Header Injection vulnerability in Tandoor Recipes. The exploit leverages the default wildcard ALLOWED_HOSTS setting to poison invite links and other server-generated URLs, redirecting them to an attacker-controlled domain.

Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWED_HOSTS = '*' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.build_absolute_uri() to generate absolute URLs in multiple contexts, including invite link emails, API pagination, and OpenAPI schema generation. An attacker who can send requests to the application with a crafted Host header can manipulate all server-generated absolute URLs. The most critical impact is invite link poisoning: when an admin creates an invite and the application sends the invite email, the link points to the attacker's server instead of the real application. When the victim clicks the link, the invite token is sent to the attacker, who can then use it at the real application. As of time of publication, it is unknown if a patched version is available.

Exploits (2)

github WORKING POC 3 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-33149

The repository contains a functional PoC for CVE-2026-33149, demonstrating a Host Header Injection vulnerability in Tandoor Recipes. The exploit leverages the default wildcard ALLOWED_HOSTS setting to poison invite links and other server-generated URLs, redirecting them to an attacker-controlled domain.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Tandoor Recipes <= 2.5.3
Auth required
Prerequisites: access to an admin account or valid session cookies · ability to send crafted HTTP requests with arbitrary Host headers
devstral-2 · analyzed May 02, 2026 Full analysis →
nomisec WORKING POC
by FilipeGaudard · poc
https://github.com/FilipeGaudard/CVE-2026-33149-PoC

This repository contains a functional PoC for CVE-2026-33149, demonstrating a Host Header Injection vulnerability in Tandoor Recipes. The exploit leverages the default wildcard ALLOWED_HOSTS setting to poison invite links and other server-generated URLs, redirecting them to an attacker-controlled domain.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Tandoor Recipes <= 2.5.3
Auth required
Prerequisites: access to an admin account · ability to send crafted HTTP requests with modified Host headers
devstral-2 · analyzed Apr 08, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.1
EPSS 0.0030
EPSS Percentile 21.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-644
Status published
Products (2)
tandoor/recipes < 2.5.3
TandoorRecipes/recipes <= 2.5.3
Published Mar 26, 2026
Tracked Since Mar 27, 2026