CVE-2026-35045

Tandoor Recipes Affected by Private Recipe Exposure and Unauthorized Modification

CVSS 8.1 HIGHEPSS 0.3%CWE-639

In short

Tandoor Recipes allows any logged-in user in a workspace to modify and expose other users' private recipes through a batch update endpoint. This bypasses security checks that normally protect individual recipes, letting attackers force recipes to be shared or change their details without permission.

Technical detail

The PUT /api/recipe/batch_update/ endpoint lacks object-level authorization validation present in single-recipe endpoints, allowing authenticated users to modify arbitrary recipes within their Space including private recipes owned by others. Attack vector is direct API manipulation; pre-condition is user authentication within a Space; impact includes unauthorized recipe exposure, forced sharing via shared lists, and metadata tampering. Fixed in version 2.6.4.

Summary generated and translated by AI from the official description.

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products

TandoorRecipes · recipes

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4 https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5