{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35045", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T21:06:06.428Z", "datePublished": "2026-04-06T17:17:57.647Z", "dateUpdated": "2026-04-07T14:29:07.687Z"}, "containers": {"cna": {"title": "Tandoor Recipes Affected by Private Recipe Exposure and Unauthorized Modification", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5"}, {"name": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4"}], "affected": [{"vendor": "TandoorRecipes", "product": "recipes", "versions": [{"version": "< 2.6.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:17:57.647Z"}, "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4."}], "source": {"advisory": "GHSA-v8x3-w674-55p5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:26:34.201700Z", "id": "CVE-2026-35045", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:29:07.687Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Tandoor Recipes Affected by Private Recipe Exposure and Unauthorized Modification", "source": {"advisory": "GHSA-v8x3-w674-55p5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "TandoorRecipes", "product": "recipes", "versions": [{"status": "affected", "version": "< 2.6.4"}]}], "references": [{"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5", "name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4", "name": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T17:17:57.647Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35045", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T14:26:34.201700Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-07T14:28:09.234Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-35045", "state": "PUBLISHED", "dateUpdated": "2026-04-06T17:17:57.647Z", "dateReserved": "2026-03-31T21:06:06.428Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T17:17:57.647Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "matchCriteriaId": "D29C4837-2650-4BEF-A332-657E7D593877", "versionEndExcluding": "2.6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4."}], "id": "CVE-2026-35045", "lastModified": "2026-04-10T18:32:17.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T18:16:42.133", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "recipes", "source": "cna", "vendor": "TandoorRecipes"}, "product": "recipes", "vendor": "tandoorrecipes"}], "analysis": {"en": {"generated_at": "2026-04-10T19:28:38.233274+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading to version 2.6.4 or newer.", "If an immediate upgrade is not feasible, temporarily disable or lock the /api/recipe/batch_update/ endpoint or restrict its use to administrative roles only.", "Review and tighten the permissions for existing Space members to ensure they cannot perform bulk updates unless explicitly authorized.", "Enable auditing or logging for recipe updates to detect suspicious changes.", "After mitigation, verify that private recipes no longer appear to unauthorized members."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Modification and Private Data Exposure"}, "threat_synthesis": {"affected_systems": "Tandoor Recipes versions prior to 2.6.4 are affected. The issue impacts any deployment where the API is exposed \u2013 including self\u2011hosted installations and hosted instances \u2013 as long as an authenticated user belongs to the same Space as the target recipes. All product releases before the 2.6.4 update inherit this flaw, so a review of the installed version is required for every site hosting the application.", "description_and_impact": "Tandoor Recipes is a recipe management application that stores user recipes, meal plans, and shopping lists. This vulnerability resides in the batch update API endpoint, which erroneously permits any authenticated member of a recipe Space to modify every recipe within that Space, irrespective of each recipe's privacy setting. Because the authorization checks that normally protect individual recipe updates are bypassed, an attacker can force private recipes to become visible, grant themselves unauthorized access through shared lists, and alter metadata such as recipe names or instructions. The exposure of private content and the ability to change recipe data compromise confidentiality and integrity for affected users, while potentially impacting availability if critical recipes are deleted or corrupted.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high risk level, but the EPSS score of less than 1% suggests that real\u2011world exploitation is currently unlikely. The vulnerability does not appear in the CISA KEV catalog, further reducing the immediate threat perception. Nevertheless, the attack surface is limited to authenticated users with membership in a Space, meaning that malicious insiders or compromised accounts could leverage the flaw. Exploiting the vulnerability requires sending a crafted PUT request to /api/recipe/batch_update/ with a payload affecting the desired recipes \u2013 no special privileges beyond Space membership are needed. Because the vulnerability operates entirely within the authentication context, defenders should verify that no broader entitlement is being granted inadvertently."}}}}, "created": "2026-04-06T21:29:53.682676+00:00", "updated": "2026-04-13T14:27:41.871232+00:00", "vendors": ["tandoorrecipes", "tandoorrecipes$PRODUCT$recipes"]}