Tandoor Recipes provides an endpoint for adding items to a shopping list. The POST /api/food/{id}/shopping/ route accepts the amount and unit fields directly from the request data and passes them to the model creation function without validation. If amount contains a non‑numeric value, the backend raises an unhandled exception that results in a generic HTTP 500 response. Additionally, the unit identifier may belong to a different space, allowing an attacker to associate a shopping list item with foreign‑key references from another tenant. Other endpoints that create a shopping list entry use a serializer that correctly validates and sanitizes these fields, making this endpoint the unique source of the vulnerability. A fix was released with version 2.6.4, which restores proper validation.

Tandoor Recipes, the recipe‑management application, is affected in all releases older than 2.6.4. The flaw exists in the POST endpoint that creates shopping list entries from a recipe by ID. Users operating any prior release of the software can send crafted requests to this endpoint and trigger the exception or expose cross‑account references.

The CVSS score of 7.3 indicates high severity, but the EPSS value of less than 1 percent suggests that active exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. The most probable attack vector involves sending a crafted POST request to the endpoint with an invalid amount string or an out‑of‑space unit ID; authentication to the API is inferred from typical use of protected endpoints. An attacker could disrupt services by triggering 500 errors and potentially glean foreign‑key references that reveal the existence of records in other tenant spaces. Administrators should monitor logs for repeated 500 responses and apply the vendor’s patch to close the issue.