CVE-2026-23838
📋 TL;DR
Tandoor Recipes' default NixOS configuration exposes the SQLite database file externally when using SQLite with default MEDIA_ROOT settings. This allows unauthenticated attackers to download the entire database via HTTP. Affects Tandoor Recipes installations on NixOS with default configurations.
💻 Affected Systems
- Tandoor Recipes
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database exfiltration including user credentials, personal data, and recipe content, potentially leading to credential reuse attacks and privacy violations.
Likely Case
Unauthenticated database download exposing user information, recipe data, and potentially hashed passwords.
If Mitigated
Database remains inaccessible externally with proper configuration or patching.
🎯 Exploit Status
Exploitation requires direct HTTP access to the database file at /media/db.sqlite3 or similar path. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: NixOS 26.05
Vendor Advisory: https://github.com/NixOS/nixpkgs/security/advisories/GHSA-g8w3-p77x-mmxh
Restart Required: Yes
Instructions:
1. Update NixOS to version 26.05 or later. 2. Ensure system.stateVersion is set to >= 26.05. 3. Restart Tandoor Recipes service. For NixOS 25.11, apply backported patch manually.
🔧 Temporary Workarounds
Move MEDIA_ROOT to subdirectory
linuxChange MEDIA_ROOT configuration to a subdirectory of /var/lib/tandoor-recipes to separate database from media files.
Edit NixOS configuration: services.tandoor-recipes.mediaRoot = "/var/lib/tandoor-recipes/media";
nixos-rebuild switch
Switch to PostgreSQL
linuxMigrate from SQLite to PostgreSQL database backend.
Configure PostgreSQL in NixOS configuration
Migrate database using Tandoor Recipes documentation
🧯 If You Can't Patch
- Configure web server (nginx/apache) to block access to db.sqlite3 files
- Implement network-level restrictions to limit access to media directory
🔍 How to Verify
Check if Vulnerable:
Check if http://your-server/media/db.sqlite3 returns the database file. Verify configuration: services.tandoor-recipes.mediaRoot is set to /var/lib/tandoor-recipes.Check Version:
nixos-versionVerify Fix Applied:
Attempt to access http://your-server/media/db.sqlite3 - should return 404 or access denied. Verify MEDIA_ROOT is set to subdirectory.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses for db.sqlite3 file access
- Unusual database file download patterns
Network Indicators:
- HTTP GET requests for /media/db.sqlite3
- Large file downloads from media directory
SIEM Query:
http.url:"/media/db.sqlite3" AND http.status_code:200