CVE-2026-35488 - Vulnerability Details

- Tandoor Recipes — CustomIsShared permits DELETE/PUT on RecipeBook by shared (read-only) users

Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for all HTTP methods — including DELETE, PUT, and PATCH — without checking request.method in SAFE_METHODS. Any user who is in the shared list of a RecipeBook can delete or overwrite it, even though shared access is semantically read-only. This vulnerability is fixed in 2.6.4.

Published: 2026-04-07

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in Tandoor Recipes, where the CustomIsShared permission component incorrectly grants all HTTP methods—DELETE, PUT, and PATCH—without verifying that the request is safe. Users who are listed as shared members of a RecipeBook, who are supposed to have read‑only access, can therefore delete or overwrite the entire book. This results in unauthorized data modification and effectively elevates a read‑only user to have full control over the targeted RecipeBook.

Affected Systems

The issue affects the Tandoor Recipes application for the recipes product. All releases earlier than version 2.6.4 are vulnerable, including the corresponding RecipeBookViewSet and RecipeBookEntryViewSet. Production deployments of the recipes application running any pre‑2.6.4 build are susceptible.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity of the defect, indicating significant impact if exploited. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploits to date. The attack requires authenticated access as a user who has been granted shared read‑only rights; the attacker can then issue DELETE or PUT HTTP requests against the shared RecipeBook API endpoints. Because the flaw lies in the permission layer, exploitation is straightforward for anyone with shared access, making the vulnerability highly actionable for malicious insiders or compromised shared users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TandoorRecipes

recipes

affected

Version	Status	Constraints
`< 2.6.4`	affected	—

No data.

Vendor Product Confidence Versions

Tandoorrecipes

Recipes

100%

Version	Status	Scheme	Platform
`[0,2.6.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Tandoor Recipes to version 2.6.4 or later
Verify that the RecipeBookEntryViewSet and RecipeBookViewSet use the corrected permission logic
Monitor shared RecipeBook activity for unexpected deletions or updates
Consult the vendor’s release notes or security advisories for additional updates

Generated by OpenCVE AI on April 7, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4
https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-xvmf-cfrq-4j8f

History

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tandoorrecipes Tandoorrecipes recipes
Vendors & Products		Tandoorrecipes Tandoorrecipes recipes

Wed, 08 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for all HTTP methods — including DELETE, PUT, and PATCH — without checking request.method in SAFE_METHODS. Any user who is in the shared list of a RecipeBook can delete or overwrite it, even though shared access is semantically read-only. This vulnerability is fixed in 2.6.4.
Title		Tandoor Recipes — CustomIsShared permits DELETE/PUT on RecipeBook by shared (read-only) users
Weaknesses		CWE-749
References		https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4 https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-xvmf-cfrq-4j8f
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}`

Subscriptions

Tandoorrecipes Recipes

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T14:51:25.861Z

Updated: 2026-04-08T14:48:54.946Z

Reserved: 2026-04-02T20:49:44.454Z

Link: CVE-2026-35488

Vulnrichment

Updated: 2026-04-08T14:48:46.370Z

NVD

Status : Awaiting Analysis

Published: 2026-04-07T16:16:27.003

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-35488

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:48:37Z

Weaknesses

CWE-749

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object