CVE-2026-35045
Tandoor Recipes Affected by Private Recipe Exposure and Unauthorized Modification
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
8th
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4.
| CWE | CWE-639 |
| Vendor | tandoorrecipes |
| Product | recipes |
| Published | Apr 6, 2026 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for tandoorrecipes recipes
Be the first to know when new high vulnerabilities affecting tandoorrecipes recipes are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
TandoorRecipes / recipes
< 2.6.4