{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35045", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T21:06:06.428Z", "datePublished": "2026-04-06T17:17:57.647Z", "dateUpdated": "2026-04-06T17:17:57.647Z"}, "containers": {"cna": {"title": "Tandoor Recipes Affected by Private Recipe Exposure and Unauthorized Modification", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5"}, {"name": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4"}], "affected": [{"vendor": "TandoorRecipes", "product": "recipes", "versions": [{"version": "< 2.6.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:17:57.647Z"}, "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4."}], "source": {"advisory": "GHSA-v8x3-w674-55p5", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4."}], "id": "CVE-2026-35045", "lastModified": "2026-04-06T18:16:42.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T18:16:42.133", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "recipes", "source": "cna", "vendor": "TandoorRecipes"}, "product": "recipes", "vendor": "tandoorrecipes"}], "analysis": {"en": {"generated_at": "2026-04-06T21:38:39.231719+00:00", "value": {"mitigation_remediation": ["Upgrade Tandoor Recipes to version 2.6.4 or later."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized modification and exposure of private recipes"}, "threat_synthesis": {"affected_systems": "The flaw affects instances of Tandoor Recipes running any release prior to 2.6.4. Users with authentication credentials within a space can trigger the exploit; the vulnerability is tied to the web API rather than the underlying operating system or database platform.", "description_and_impact": "A flaw in the batch update endpoint of Tandoor Recipes allows an authenticated user to modify recipes in a shared space, including those marked as private, bypassing all object\u2011level authorization checks that normally protect standard single\u2011recipe updates. The vulnerability therefore enables forced disclosure of private content and tampering with recipe metadata, compromising the confidentiality and integrity of user data.", "risk_and_exploitability": "With a CVSS score of 8.1 the risk is classified as high. Although EPSS data is not available, the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread public exploitation yet. The attack requires an authenticated session within a space and is performed via an HTTP PUT to \"/api/recipe/batch_update/\", so exposure depends on network access to the Tandoor instance and the attacker\u2019s ability to acquire user credentials. Once exploited, the attacker can permanently alter private recipes or grant themselves further access to shared lists."}}}}, "created": "2026-04-06T21:29:53.682676+00:00", "updated": "2026-04-06T21:47:10.151264+00:00", "vendors": ["tandoorrecipes", "tandoorrecipes$PRODUCT$recipes"]}