Impact Analysis

This vulnerability allows an authenticated admin user to perform sync operations on Sync configurations of other spaces, which they should not have access to.

• Trigger sync operations (Dropbox, Nextcloud, Local import) on other spaces' Sync configurations.
• View sync logs from other spaces, leading to information disclosure.
• Potential unauthorized recipe imports into other spaces if the sync mechanism allows write access.
• Because primary keys are sequential integers, it is easy to enumerate and exploit this vulnerability.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-28503 is a Cross-Space Insecure Direct Object Reference (IDOR) vulnerability in the Tandoor Recipes application. It occurs in the `SyncViewSet.query_synced_folder()` method, where the code fetches a Sync object without properly filtering by the user's space. This means an admin user from one space (Space A) can access and trigger sync operations on Sync configurations belonging to another space (Space B), and also view the sync logs from that other space.

The root cause is that the method uses `get_object_or_404(Sync, pk=pk)` without including the necessary `space=request.space` filter, allowing unauthorized access across spaces.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying if the Tandoor Recipes application version is prior to 2.6.0 and by checking whether the `query_synced_folder` action in the `cookbook/views/api.py` file improperly fetches Sync objects without filtering by space.

Specifically, detection involves confirming if the code uses `get_object_or_404(Sync, pk=pk)` without including `space=request.space` as a filter parameter.

Since the vulnerability allows an authenticated admin user to access Sync configurations of other spaces, one can attempt to enumerate Sync primary keys (which are sequential integers) and observe if sync operations or logs from other spaces are accessible.

Suggested commands or steps to detect the vulnerability include:

• Check the installed version of Tandoor Recipes: ensure it is 2.6.0 or later.
• Review the source code of `cookbook/views/api.py` around line 903 to verify if `get_object_or_404` includes the `space=request.space` filter.
• Attempt to perform sync operations on Sync objects belonging to other spaces using an authenticated admin account and observe if unauthorized access or logs are returned.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Tandoor Recipes application to version 2.6.0 or later, where this vulnerability has been patched.

The patch involves modifying the vulnerable code to include the space scoping filter when fetching Sync objects, changing the line from:

`sync = get_object_or_404(Sync, pk=pk)`

to:

`sync = get_object_or_404(Sync, pk=pk, space=request.space)`

This ensures that sync operations and log access are restricted to the authenticated user's space, preventing unauthorized cross-space access.

Until the upgrade is applied, restrict admin user permissions and monitor for suspicious sync activity that may indicate exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated admin user in one space to access and trigger sync operations on configurations belonging to other spaces, as well as view sync logs from those spaces. This leads to unauthorized access and information disclosure.

Such unauthorized access and information disclosure could potentially violate data protection and privacy requirements found in common standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive information.

Therefore, this vulnerability may negatively impact compliance with these regulations by enabling cross-space data exposure and insufficient authorization controls.

Useful 0 Not Useful 0