Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for all HTTP methods - including DELETE, PUT, and PATCH - without checking request.method in SAFE_METHODS. Any user who is in the shared list of a RecipeBook can delete or overwrite it, even though shared access is semantically read-only. This vulnerability is fixed in 2.6.4.
AnalysisAI
Privilege escalation in Tandoor Recipes prior to version 2.6.4 allows authenticated users with read-only shared access to recipe books to perform unauthorized write and delete operations. The CustomIsShared permission class incorrectly permits DELETE, PUT, and PATCH methods without validating safe HTTP methods, enabling shared users to overwrite or delete recipe books despite having semantically read-only permissions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Tandoor Recipes versions prior to 2.6.4. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-high despite the 8.1 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user Alice shares her recipe book collection with colleague Bob, intending to give him read-only access to browse recipes. Bob, either maliciously or through API exploration, discovers he can send HTTP DELETE requests to the RecipeBookViewSet endpoint for Alice's shared recipe books. … |
| Remediation | Upgrade to Tandoor Recipes version 2.6.4 or later, which includes a fix for the permission validation logic in CustomIsShared.has_object_permission(). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Tandoor Recipes instances in your environment and document current version numbers. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Tandoor Recipes prior to 2.5.1 contains a blind server-side request forgery vulnerability in the Cookmate recipe import
Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. Rated medium severity (CVS
Path traversal in Tandoor Recipes prior to 2.5.1 allows authenticated users with import permissions to read arbitrary fi
Authenticated users can modify and expose private recipes in Tandoor Recipes through broken object-level authorization i
Unauthenticated API input validation flaws in Tandoor Recipes (<2.6.4) enable cross-tenant data leakage and denial of se
Tandoor Recipes versions prior to 2.6.0 allow authenticated remote attackers to cause denial of service by injecting URL
Tandoor Recipes versions prior to 2.6.5 suffer from a denial-of-service vulnerability in the recipe import functionality
Tandoor Recipes versions prior to 2.6.0 allow authenticated admin users to bypass space isolation controls and trigger s
Tandoor Recipes prior to version 2.6.4 allows authenticated users to inject malicious CSS via <style> tags in recipe ste
Tandoor Recipes versions prior to 2.6.0 fail to strip EXIF metadata from WebP and GIF image uploads, exposing sensitive
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated high severity
Same weakness CWE-749 – Exposed Dangerous Method or Function
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19673