{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35489", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T20:49:44.454Z", "datePublished": "2026-04-07T14:53:18.333Z", "dateUpdated": "2026-04-07T15:58:45.810Z"}, "containers": {"cna": {"title": "Tandoor Recipes \u2014 `amount`/`unit` bypass serializer in `food/{id}/shopping/`", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1284", "lang": "en", "description": "CWE-1284: Improper Validation of Specified Quantity in Input", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554"}, {"name": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4"}], "affected": [{"vendor": "TandoorRecipes", "product": "recipes", "versions": [{"version": "< 2.6.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:53:18.333Z"}, "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to ShoppingListEntry.objects.create(). Invalid amount values (non-numeric strings) cause an unhandled exception and HTTP 500. A unit ID from a different Space can be associated cross-space, leaking foreign-key references across tenant boundaries. All other endpoints creating ShoppingListEntry use ShoppingListEntrySerializer, which validates and sanitizes these fields. This vulnerability is fixed in 2.6.4."}], "source": {"advisory": "GHSA-8w8h-3pv2-3554", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T15:57:25.623338Z", "id": "CVE-2026-35489", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:58:45.810Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35489", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T15:57:25.623338Z"}}}], "references": [{"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:57:33.375Z"}}], "cna": {"title": "Tandoor Recipes \u2014 `amount`/`unit` bypass serializer in `food/{id}/shopping/`", "source": {"advisory": "GHSA-8w8h-3pv2-3554", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "TandoorRecipes", "product": "recipes", "versions": [{"status": "affected", "version": "< 2.6.4"}]}], "references": [{"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554", "name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4", "name": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to ShoppingListEntry.objects.create(). Invalid amount values (non-numeric strings) cause an unhandled exception and HTTP 500. A unit ID from a different Space can be associated cross-space, leaking foreign-key references across tenant boundaries. All other endpoints creating ShoppingListEntry use ShoppingListEntrySerializer, which validates and sanitizes these fields. This vulnerability is fixed in 2.6.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1284", "description": "CWE-1284: Improper Validation of Specified Quantity in Input"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:53:18.333Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35489", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:58:45.810Z", "dateReserved": "2026-04-02T20:49:44.454Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T14:53:18.333Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "matchCriteriaId": "D29C4837-2650-4BEF-A332-657E7D593877", "versionEndExcluding": "2.6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to ShoppingListEntry.objects.create(). Invalid amount values (non-numeric strings) cause an unhandled exception and HTTP 500. A unit ID from a different Space can be associated cross-space, leaking foreign-key references across tenant boundaries. All other endpoints creating ShoppingListEntry use ShoppingListEntrySerializer, which validates and sanitizes these fields. This vulnerability is fixed in 2.6.4."}], "id": "CVE-2026-35489", "lastModified": "2026-04-14T20:13:00.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T16:16:27.160", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-1284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "recipes", "source": "cna", "vendor": "TandoorRecipes"}, "product": "recipes", "vendor": "tandoorrecipes"}], "analysis": {"en": {"generated_at": "2026-04-14T22:38:20.382204+00:00", "value": {"mitigation_remediation": ["Upgrade to Tandoor Recipes version 2.6.4 or later.", "Temporarily block write access to /api/food/{id}/shopping/\u2014for example, disable the route or use firewall rules until the patch is applied.", "Monitor server logs for recurring HTTP 500 responses from this endpoint to detect exploitation attempts."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Tandoor Recipes, the recipe\u2011management application, is affected in all releases older than 2.6.4. The flaw exists in the POST endpoint that creates shopping list entries from a recipe by ID. Users operating any prior release of the software can send crafted requests to this endpoint and trigger the exception or expose cross\u2011account references.", "description_and_impact": "Tandoor Recipes provides an endpoint for adding items to a shopping list. The POST /api/food/{id}/shopping/ route accepts the amount and unit fields directly from the request data and passes them to the model creation function without validation. If amount contains a non\u2011numeric value, the backend raises an unhandled exception that results in a generic HTTP 500 response. Additionally, the unit identifier may belong to a different space, allowing an attacker to associate a shopping list item with foreign\u2011key references from another tenant. Other endpoints that create a shopping list entry use a serializer that correctly validates and sanitizes these fields, making this endpoint the unique source of the vulnerability. A fix was released with version 2.6.4, which restores proper validation.", "risk_and_exploitability": "The CVSS score of 7.3 indicates high severity, but the EPSS value of less than 1 percent suggests that active exploitation is currently unlikely. The vulnerability is not listed in CISA\u2019s KEV catalog. The most probable attack vector involves sending a crafted POST request to the endpoint with an invalid amount string or an out\u2011of\u2011space unit ID; authentication to the API is inferred from typical use of protected endpoints. An attacker could disrupt services by triggering 500 errors and potentially glean foreign\u2011key references that reveal the existence of records in other tenant spaces. Administrators should monitor logs for repeated 500 responses and apply the vendor\u2019s patch to close the issue."}}}}, "created": "2026-04-08T19:37:18.206561+00:00", "updated": "2026-04-15T16:30:09.724500+00:00", "vendors": ["tandoorrecipes", "tandoorrecipes$PRODUCT$recipes"]}