CVE-2026-29055 Overview
Tandoor Recipes, an open-source application for managing recipes, planning meals, and building shopping lists, contains an information disclosure vulnerability in its image processing pipeline. In versions prior to 2.6.0, the application explicitly skips EXIF metadata stripping, image rescaling, and size validation for WebP and GIF image formats. A developer TODO comment in the source code acknowledges this as a known issue.
When users upload recipe photos in WebP format—the default format for modern smartphone cameras—their sensitive EXIF data including GPS coordinates, camera model, timestamps, and software information is stored and served to all users who can view the recipe.
Critical Impact
Sensitive user location data and device information embedded in WebP and GIF images are exposed to all users with recipe viewing permissions, creating significant privacy risks for users sharing recipe photos.
Affected Products
- Tandoor Recipes versions prior to 2.6.0
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-29055 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-29055
Vulnerability Analysis
This vulnerability is classified under CWE-1230 (Exposure of Sensitive Information Through Metadata). The core issue lies in the differential treatment of image formats within Tandoor Recipes' image processing pipeline. While other image formats undergo proper sanitization including EXIF metadata stripping and image rescaling, WebP and GIF formats bypass these security controls entirely.
Modern smartphones, particularly those running recent versions of Android and iOS, default to capturing photos in WebP format due to its superior compression. These images automatically embed rich EXIF metadata including precise GPS coordinates, device identifiers, capture timestamps, and other potentially sensitive information. When users upload recipe photos taken with their smartphones, this metadata is preserved and subsequently served to anyone with viewing access to the recipe.
The presence of a developer TODO comment in the source code indicates this was a known gap in the security implementation that remained unaddressed until version 2.6.0.
Root Cause
The root cause is incomplete implementation of the image sanitization pipeline. The code path responsible for processing uploaded images contains conditional logic that explicitly skips EXIF stripping and image validation for WebP and GIF file formats. This creates an inconsistent security boundary where privacy protections are format-dependent rather than universally applied.
Attack Vector
This vulnerability is exploitable over the network without authentication in scenarios where recipes are publicly shared. An attacker can:
- Access publicly shared recipes or gain legitimate viewing access to shared recipes
- Download recipe images in WebP or GIF format
- Extract EXIF metadata using standard tools to reveal the uploader's location, device information, and capture timestamps
- Correlate this information across multiple recipe uploads to build a profile of the user's movements and habits
The exploitation requires no special privileges beyond recipe viewing access, making it a low-complexity attack with direct privacy implications for users who unknowingly share location-tagged photos.
Detection Methods for CVE-2026-29055
Indicators of Compromise
- Presence of EXIF metadata in served WebP or GIF images from the Tandoor Recipes application
- User reports of location or device information exposure through shared recipe photos
- Unusual access patterns to recipe images, particularly bulk downloads of user-uploaded photos
Detection Strategies
- Implement automated scanning of stored WebP and GIF images for EXIF metadata presence
- Review application logs for bulk image download requests that may indicate data harvesting
- Audit recipe sharing permissions to identify potentially exposed user-uploaded images
Monitoring Recommendations
- Monitor for tools commonly used for EXIF extraction accessing the application
- Track image download patterns for anomalies suggesting targeted data collection
- Implement alerts for external tools querying image endpoints at high frequency
How to Mitigate CVE-2026-29055
Immediate Actions Required
- Upgrade Tandoor Recipes to version 2.6.0 or later immediately
- Review previously uploaded WebP and GIF images for sensitive EXIF metadata
- Consider re-processing existing images to strip metadata after upgrading
- Notify users about potential historical exposure if publicly shared recipes contained location-tagged images
Patch Information
The vulnerability has been addressed in Tandoor Recipes version 2.6.0. Users should update to this version or later to ensure proper EXIF metadata stripping is applied to all image formats including WebP and GIF. For detailed release information, see the GitHub Release Notes and the GitHub Security Advisory.
Workarounds
- Manually strip EXIF metadata from WebP and GIF images before uploading using tools like exiftool
- Convert WebP images to other formats (such as JPEG) that are properly processed by older Tandoor versions before uploading
- Restrict recipe sharing to trusted users only until the patch can be applied
- Disable public recipe sharing features temporarily if running a vulnerable version
# Strip EXIF metadata from WebP images before uploading
exiftool -all= recipe_photo.webp
# Verify EXIF data has been removed
exiftool recipe_photo.webp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
