Tandoor Recipes is a recipe management application that stores user recipes, meal plans, and shopping lists. This vulnerability resides in the batch update API endpoint, which erroneously permits any authenticated member of a recipe Space to modify every recipe within that Space, irrespective of each recipe's privacy setting. Because the authorization checks that normally protect individual recipe updates are bypassed, an attacker can force private recipes to become visible, grant themselves unauthorized access through shared lists, and alter metadata such as recipe names or instructions. The exposure of private content and the ability to change recipe data compromise confidentiality and integrity for affected users, while potentially impacting availability if critical recipes are deleted or corrupted.

Tandoor Recipes versions prior to 2.6.4 are affected. The issue impacts any deployment where the API is exposed – including self‑hosted installations and hosted instances – as long as an authenticated user belongs to the same Space as the target recipes. All product releases before the 2.6.4 update inherit this flaw, so a review of the installed version is required for every site hosting the application.

The CVSS score of 8.1 indicates a high risk level, but the EPSS score of less than 1% suggests that real‑world exploitation is currently unlikely. The vulnerability does not appear in the CISA KEV catalog, further reducing the immediate threat perception. Nevertheless, the attack surface is limited to authenticated users with membership in a Space, meaning that malicious insiders or compromised accounts could leverage the flaw. Exploiting the vulnerability requires sending a crafted PUT request to /api/recipe/batch_update/ with a payload affecting the desired recipes – no special privileges beyond Space membership are needed. Because the vulnerability operates entirely within the authentication context, defenders should verify that no broader entitlement is being granted inadvertently.