Exposed Database Vulnerability in Tandoor Recipes by NixOS
CVE-2026-23838

8.7HIGH

Key Information:

Vendor

Nixos

Status
Nixpkgs
Vendor
CVE Published:
19 January 2026

What is CVE-2026-23838?

Tandoor Recipes, when configured with SQLite using the default MEDIA_ROOT setting, may expose the full database file over the internet due to improper handling of file permissions. This occurs because the application stores its database file in a directory that is publicly accessible, specifically under /var/lib/tandoor-recipes. By accessing MEDIA_ROOT, users can inadvertently expose sensitive database information without authentication. While the NixOS version 26.05 updates the configuration to mitigate this issue, earlier versions including 25.11 require manual adjustments or workarounds, such as relocating MEDIA_ROOT to a safer subdirectory to prevent unauthorized access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

nixpkgs >= 23.05, < 26.05

References

https://github.com/NixOS/nixpkgs/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/NixOS/nixpkgs/issues/338339
x_refsource_MISC
https://github.com/NixOS/nixpkgs/pull/427845
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.