Tandoor Recipes SQL Injection Vulnerability via Debug Query Parameter

A vulnerability in Tandoor Recipes Recipe API endpoint in versions prior to 2.6.0 allows authenticated users to access a hidden `?debug=true` query parameter. This parameter reveals the complete raw SQL query being executed, including database schema details, access control logic, and multi-tenant space IDs. The issue persists even when Django's `DEBUG` is set to `False`, and can be exploited by low-privilege users to map the database schema and reverse-engineer the authorization model.

Impact

Exploitation of this vulnerability leads to unauthorized information disclosure, allowing attackers to access sensitive database schema details and authorization logic, which could be used to exploit other vulnerabilities or violate data protection regulations.

Reproduction

To reproduce this vulnerability, authenticate as any user and send a request to the Recipe API endpoint with the `?debug=true` query parameter. The response will include the leaked SQL query, which can be parsed to extract database schema information, access control logic, and multi-tenant space IDs.

Remediation

Users can upgrade to Tandoor Recipes version 2.6.0 or later, where this vulnerability has been patched.