CVE-2026-35489

Tandoor Recipes — `amount`/`unit` bypass serializer in `food/{id}/shopping/`

CVSS 7.3 HIGHEPSS 0.2%CWE-1284 CWE-639

In short

A recipe management app fails to validate user input on a shopping list endpoint, allowing attackers to crash the server with invalid data or associate shopping items with units from other users' spaces, potentially exposing private information.

Technical detail

The POST /api/food/{id}/shopping/ endpoint bypasses the ShoppingListEntrySerializer validation by directly reading amount and unit from request.data without sanitization, enabling injection of non-numeric amounts (CWE-1284) and cross-tenant unit association (CWE-639). This occurs because other endpoints properly validate via the serializer, but this one does not, allowing an authenticated attacker to trigger HTTP 500 errors or leak foreign-key references across Space boundaries.

Summary generated and translated by AI from the official description.

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to ShoppingListEntry.objects.create(). Invalid amount values (non-numeric strings) cause an unhandled exception and HTTP 500. A unit ID from a different Space can be associated cross-space, leaking foreign-key references across tenant boundaries. All other endpoints creating ShoppingListEntry use ShoppingListEntrySerializer, which validates and sanitizes these fields. This vulnerability is fixed in 2.6.4.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected products

TandoorRecipes · recipes

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4 https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554