Executive Summary

CVE-2026-35045 is a high-severity authorization bypass vulnerability in Tandoor Recipes version 2.6.1 affecting the PUT /api/recipe/batch_update/ endpoint.

This vulnerability allows any authenticated user within a Space to modify any recipe in that Space, including private recipes owned by other users, bypassing the usual object-level authorization checks that are enforced on single-recipe endpoints.

The root cause is that the batch_update action does not invoke object-level permission checks and filters recipes only by Space without verifying ownership or privacy status.

As a result, users can change recipe visibility, grant themselves access by modifying shared lists, tamper with metadata, and remove legitimate users' access.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to significant breaches of confidentiality and integrity within the Tandoor Recipes application.

• Any authenticated user in a Space can expose private recipes by making them public.
• Users can grant themselves unauthorized persistent access to private recipes by adding themselves to the shared access list.
• Recipe metadata such as keywords and timing can be tampered with by unauthorized users.
• Legitimate users' access can be revoked by removing them from the shared list.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and testing the behavior of the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes. Specifically, you can attempt to send authenticated PUT requests to this endpoint to modify recipes that you do not own or that are marked as private.

A practical detection method is to use a command-line HTTP client like curl to send a crafted PUT request to the batch_update endpoint with recipe IDs that belong to other users and observe if the request succeeds in modifying private recipes.

• Example curl command to test the vulnerability (replace placeholders accordingly):
• curl -X PUT https://<tandoor-recipes-host>/api/recipe/batch_update/ -H "Authorization: Token <your_auth_token>" -H "Content-Type: application/json" -d '{"recipes": [<other_user_private_recipe_id>], "private": false}'

If the request returns HTTP 200 OK and the private recipe is modified (e.g., made public), this indicates the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Tandoor Recipes to version 2.6.4 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, restrict access to the PUT /api/recipe/batch_update/ endpoint to only trusted users or administrators, or disable this endpoint temporarily.

Additionally, review and monitor recipe modifications for unauthorized changes, especially changes to private recipes and shared access lists.

The underlying fix involves restricting the queryset in the batch_update endpoint to only allow modifications on recipes owned by the requesting user or by space admins, preventing unauthorized access and modification.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows any authenticated user within a Space to bypass object-level authorization checks and modify private recipes owned by other users. This leads to forced exposure of private data and unauthorized modification of sensitive information.

Such unauthorized access and modification of private data can result in breaches of confidentiality and integrity, which are critical requirements under common standards and regulations like GDPR and HIPAA.

Specifically, the exposure of private recipes and unauthorized changes to access controls could violate data protection principles, potentially leading to non-compliance with regulations that mandate strict access controls and protection of personal or sensitive data.

Useful 0 Not Useful 0