EUVD-2026-19388CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4.
Analysis
Authenticated users can modify and expose private recipes in Tandoor Recipes through broken object-level authorization in the batch update API endpoint. Any authenticated user within a shared Space can modify recipes marked private by other users, force-share private recipes, and tamper with metadata by exploiting the PUT /api/recipe/batch_update/ endpoint which bypasses authorization checks enforced on single-recipe endpoints. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Tandoor Recipes deployments and document current versions in use. Within 7 days: Upgrade to Tandoor Recipes version 2.6.4 or later; if upgrade is not immediately possible, restrict API access to the PUT /api/recipe/batch_update/ endpoint at the network or application layer. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today