Skip to main content

Recipes CVE-2026-35489

| EUVDEUVD-2026-19674 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-07 GitHub_M
7.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:04 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.6.4
EUVD ID Assigned
Apr 07, 2026 - 15:30 euvd
EUVD-2026-19674
Analysis Generated
Apr 07, 2026 - 15:30 vuln.today
CVE Published
Apr 07, 2026 - 14:53 nvd
HIGH 7.3

DescriptionGitHub Advisory

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to ShoppingListEntry.objects.create(). Invalid amount values (non-numeric strings) cause an unhandled exception and HTTP 500. A unit ID from a different Space can be associated cross-space, leaking foreign-key references across tenant boundaries. All other endpoints creating ShoppingListEntry use ShoppingListEntrySerializer, which validates and sanitizes these fields. This vulnerability is fixed in 2.6.4.

AnalysisAI

{id}/shopping/ endpoint accepts unvalidated amount and unit parameters, allowing attackers to cause application crashes via malformed numeric inputs (HTTP 500 errors) and leak foreign-key references across multi-tenant Space boundaries by associating unit IDs from other tenants. CVSS 7.3 reflects network-accessible, low-complexity attacks requiring no authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send POST request to /api/food/{id}/shopping/
Delivery
Provide invalid amount value triggering unhandled exception
Exploit
Receive HTTP 500 error exposing server information
Execution
Use unit ID from different Space
Persist
Associate cross-space unit leaking foreign-key references
Impact
Access data across tenant boundaries

Vulnerability AssessmentAI

Exploitation Remote unauthenticated attacker can exploit Tandoor Recipes versions prior to 2.6.4 by sending crafted POST requests to /api/food/{id}/shopping/ endpoint with cross-Space unit IDs to leak foreign-key references across tenant boundaries or trigger HTTP 500 errors with invalid amount values. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-high for multi-tenant Tandoor deployments, though lower for single-user instances. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a public-facing Tandoor Recipes instance (version <2.6.4) and enumerates valid food object IDs through trial-and-error or by scraping publicly accessible recipe pages. The attacker sends crafted POST requests to /api/food/{valid_id}/shopping/ with amount set to a non-numeric string (e.g., 'XXX'), causing repeated HTTP 500 errors and degrading service availability for legitimate users. …
Remediation Upgrade to Tandoor Recipes version 2.6.4 or later, which implements proper input validation by routing the vulnerable endpoint through ShoppingListEntrySerializer to enforce field-type validation and tenant boundary checks. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

{id}/shopping/ requests with malformed parameters and review cross-tenant data access patterns for evidence of exploitation.

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-25991 HIGH POC
7.7 Feb 13

Tandoor Recipes prior to 2.5.1 contains a blind server-side request forgery vulnerability in the Cookmate recipe import

CVE-2025-57396 MEDIUM POC
6.5 Sep 19

Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. Rated medium severity (CVS

CVE-2026-25964 MEDIUM POC
4.9 Feb 13

Path traversal in Tandoor Recipes prior to 2.5.1 allows authenticated users with import permissions to read arbitrary fi

CVE-2026-35488 HIGH
8.1 Apr 07

Privilege escalation in Tandoor Recipes prior to version 2.6.4 allows authenticated users with read-only shared access t

CVE-2026-35045 HIGH
8.1 Apr 06

Authenticated users can modify and expose private recipes in Tandoor Recipes through broken object-level authorization i

CVE-2026-33148 MEDIUM
6.5 Mar 26

Tandoor Recipes versions prior to 2.6.0 allow authenticated remote attackers to cause denial of service by injecting URL

CVE-2026-27460 MEDIUM
6.5 Apr 10

Tandoor Recipes versions prior to 2.6.5 suffer from a denial-of-service vulnerability in the recipe import functionality

CVE-2026-28503 MEDIUM
5.5 Mar 26

Tandoor Recipes versions prior to 2.6.0 allow authenticated admin users to bypass space isolation controls and trigger s

CVE-2026-35046 MEDIUM
5.4 Apr 06

Tandoor Recipes prior to version 2.6.4 allows authenticated users to inject malicious CSS via <style> tags in recipe ste

CVE-2026-29055 MEDIUM
5.3 Mar 26

Tandoor Recipes versions prior to 2.6.0 fail to strip EXIF metadata from WebP and GIF image uploads, exposing sensitive

CVE-2025-23213 HIGH POC
8.7 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated high severity

Share

CVE-2026-35489 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy