Tandoor Recipes Flaw Exposes Private Recipes

/HIGH
SCW vulnerabilitycve
Tandoor Recipes Flaw Exposes Private Recipes

CVE Notify is flagging a critical authorization bypass vulnerability in Tandoor Recipes, an application used for managing recipes, meal planning, and shopping lists. The issue, tracked as CVE-2026-35045, impacts versions prior to 2.6.4. According to CVE Notify, the PUT /api/recipe/batch_update/ endpoint allows any authenticated user within a shared โ€˜Spaceโ€™ to modify any recipe, irrespective of its privacy settings. This effectively bypasses the object-level authorization checks that are supposed to protect individual recipes.

The implications are significant. CVE Notify highlights that this flaw enables unauthorized users to expose private recipes, grant themselves access to recipes through the shared list functionality, and even tamper with recipe metadata. This is a serious lapse in access control, turning a personal recipe manager into a potential privacy nightmare for users.

Fortunately, this vulnerability has been patched. Tandoor Recipes version 2.6.4 addresses CVE-2026-35045, closing the door on these unauthorized access and modification capabilities. Users are strongly advised to update to the latest version immediately to secure their recipe data.

What This Means For You

  • Ensure that all API endpoints enforcing authorization checks, especially those handling batch operations or updates, are rigorously tested for bypass vulnerabilities. Don't assume that individual object-level checks are sufficient; verify that broader collection-level operations also respect access controls.

Related ATT&CK Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation T1190 Exploit Public-Facing Application Initial Access

Indicators of Compromise

IDTypeIndicator
CVE-2026-35045 Auth Bypass Tandoor Recipes prior to 2.6.4, PUT /api/recipe/batch_update/ endpoint, allows authenticated users to modify any recipe in a Space, including private recipes.
CVE-2026-35045 Information Disclosure Tandoor Recipes prior to 2.6.4, PUT /api/recipe/batch_update/ endpoint, enables forced exposure of private recipes.
CVE-2026-35045 Misconfiguration Tandoor Recipes prior to 2.6.4, PUT /api/recipe/batch_update/ endpoint, bypasses object-level authorization checks.

By Shimi's Cyber World Editorial

๐Ÿ”Ž
Get the full picture on this threat Use /org to search affected organizations, generate IOC briefs with /brief, and set watchlist alerts โ€” inside Telegram.
Try Intel Bot โ†’