Skip to main content

Recipes CVE-2026-35488

| EUVDEUVD-2026-19673 HIGH
Exposed Dangerous Method or Function (CWE-749)
2026-04-07 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 19:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:04 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.6.4
EUVD ID Assigned
Apr 07, 2026 - 15:30 euvd
EUVD-2026-19673
Analysis Generated
Apr 07, 2026 - 15:30 vuln.today
CVE Published
Apr 07, 2026 - 14:51 nvd
HIGH 8.1

DescriptionGitHub Advisory

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for all HTTP methods - including DELETE, PUT, and PATCH - without checking request.method in SAFE_METHODS. Any user who is in the shared list of a RecipeBook can delete or overwrite it, even though shared access is semantically read-only. This vulnerability is fixed in 2.6.4.

AnalysisAI

Privilege escalation in Tandoor Recipes prior to version 2.6.4 allows authenticated users with read-only shared access to recipe books to perform unauthorized write and delete operations. The CustomIsShared permission class incorrectly permits DELETE, PUT, and PATCH methods without validating safe HTTP methods, enabling shared users to overwrite or delete recipe books despite having semantically read-only permissions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as user with read-only share access
Exploit
Send DELETE/PUT/PATCH request to shared RecipeBook
Execution
Permission check bypasses method validation
Impact
Delete or overwrite shared recipe data

Vulnerability AssessmentAI

Exploitation Tandoor Recipes versions prior to 2.6.4. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-high despite the 8.1 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user Alice shares her recipe book collection with colleague Bob, intending to give him read-only access to browse recipes. Bob, either maliciously or through API exploration, discovers he can send HTTP DELETE requests to the RecipeBookViewSet endpoint for Alice's shared recipe books. …
Remediation Upgrade to Tandoor Recipes version 2.6.4 or later, which includes a fix for the permission validation logic in CustomIsShared.has_object_permission(). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Tandoor Recipes instances in your environment and document current version numbers. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-25991 HIGH POC
7.7 Feb 13

Tandoor Recipes prior to 2.5.1 contains a blind server-side request forgery vulnerability in the Cookmate recipe import

CVE-2025-57396 MEDIUM POC
6.5 Sep 19

Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. Rated medium severity (CVS

CVE-2026-25964 MEDIUM POC
4.9 Feb 13

Path traversal in Tandoor Recipes prior to 2.5.1 allows authenticated users with import permissions to read arbitrary fi

CVE-2026-35045 HIGH
8.1 Apr 06

Authenticated users can modify and expose private recipes in Tandoor Recipes through broken object-level authorization i

CVE-2026-35489 HIGH
7.3 Apr 07

Unauthenticated API input validation flaws in Tandoor Recipes (<2.6.4) enable cross-tenant data leakage and denial of se

CVE-2026-33148 MEDIUM
6.5 Mar 26

Tandoor Recipes versions prior to 2.6.0 allow authenticated remote attackers to cause denial of service by injecting URL

CVE-2026-27460 MEDIUM
6.5 Apr 10

Tandoor Recipes versions prior to 2.6.5 suffer from a denial-of-service vulnerability in the recipe import functionality

CVE-2026-28503 MEDIUM
5.5 Mar 26

Tandoor Recipes versions prior to 2.6.0 allow authenticated admin users to bypass space isolation controls and trigger s

CVE-2026-35046 MEDIUM
5.4 Apr 06

Tandoor Recipes prior to version 2.6.4 allows authenticated users to inject malicious CSS via <style> tags in recipe ste

CVE-2026-29055 MEDIUM
5.3 Mar 26

Tandoor Recipes versions prior to 2.6.0 fail to strip EXIF metadata from WebP and GIF image uploads, exposing sensitive

CVE-2025-23213 HIGH POC
8.7 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated high severity

Share

CVE-2026-35488 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy