Unauthorized Access Flaw in Tandoor Recipes Exposes Recipe Data to Modification

What Happened

A high-severity vulnerability identified as CVE-2026-35488 has been discovered in Tandoor Recipes, a popular application used for managing recipes, planning meals, and building shopping lists. This vulnerability affects versions of the application prior to 2.6.4 and was publicly disclosed recently. The flaw specifically affects the application's RecipeBookViewSet and RecipeBookEntryViewSet, which are integral to managing and sharing recipe collections.

Before version 2.6.4, Tandoor Recipes relied on a permission class called CustomIsShared. This class was intended to restrict edit operations on shared recipe books. Unfortunately, due to an oversight in permission checks, any user who was part of a shared recipe list could delete or overwrite recipe information regardless of their intended read-only access level.

The vulnerability was discovered during routine security assessments and has since been addressed by the vendor. Users are advised to update their application to version 2.6.4 or later to secure their systems against potential exploitation.

Technical Details

The root cause of CVE-2026-35488 lies within the CustomIsShared permission class used by the RecipeBookViewSet and RecipeBookEntryViewSet components in Tandoor Recipes. This class is responsible for determining access permissions for users, particularly those who have been given shared access rights to a recipe list.

CustomIsShared has a method called has_object_permission(), which erroneously returns true for all HTTP methods, including DELETE, PUT, and PATCH, without validating if the request method is among the predefined SAFE_METHODS. This improper permission validation allows any user with shared access to perform potentially destructive edits on the recipe data. The Common Vulnerability Scoring System (CVSS) rates this flaw at 8.1, categorizing it as high severity due to the potential for unauthorized data modification and integrity loss.

Exploitation of this vulnerability requires user access to a shared recipe list, which serves as both a prerequisite and an Indicator of Compromise (IOC). No specific exploit code has been publicly disclosed yet, but the ease of exploitation through legitimate user credentials poses a serious risk.

Impact

Organizations and individuals utilizing Tandoor Recipes in a collaborative environment are particularly at risk. The vulnerability allows unauthorized overwriting or deletion of recipes within shared collections, potentially disrupting meal planning workflows and causing loss of critical data.

The impact is amplified for users leveraging Tandoor Recipes for detailed meal preparations, where precise data is crucial. Malicious users or those with unintended higher privileges could exploit this gap to alter data integrity. The issue emphasizes the importance of strict permission controls in shared applications.

What To Do

• Upgrade Immediately: Ensure all Tandoor Recipes instances are updated to version 2.6.4 or later. This version includes a fix for CVE-2026-35488.
• Review Access Control Lists: Regularly audit the shared recipe lists to confirm that only authorized users have access.
• Monitor Logs: Implement logging to detect any unauthorized DELETE, PUT, or PATCH operations that might indicate exploitation attempts.
• Educate Users: Inform end-users about the update necessity and potential implications of sharing access rights.

By following these steps, organizations can mitigate the risks posed by this vulnerability effectively and ensure their recipe data integrity and availability are preserved. Implementing the update promptly will safeguard against unauthorized modifications and maintain trust in collaborative networks using Tandoor Recipes.