CVE-2026-35045

HIGH LAB

Tandoor Recipes Affected by Private Recipe Exposure and Unauthorized Modification

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-35045. PoCs published by adminlove520, FilipeGaudard.

AI-analyzed exploit summary The repository contains a functional exploit PoC for CVE-2026-35045, demonstrating a Broken Object-Level Authorization vulnerability in Tandoor Recipes. The PoC includes a Python script that exploits the `PUT /api/recipe/batch_update/` endpoint to bypass authorization checks and modify private recipes owned by other users.

Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4.

Exploits (2)

github WORKING POC 3 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-35045

The repository contains a functional exploit PoC for CVE-2026-35045, demonstrating a Broken Object-Level Authorization vulnerability in Tandoor Recipes. The PoC includes a Python script that exploits the `PUT /api/recipe/batch_update/` endpoint to bypass authorization checks and modify private recipes owned by other users.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Tandoor Recipes ≤ 2.6.1
Auth required
Prerequisites: Authenticated user within the target Space · Knowledge of target recipe ID and attacker user ID
devstral-2 · analyzed May 02, 2026 Full analysis →
nomisec WORKING POC 1 stars
by FilipeGaudard · poc
https://github.com/FilipeGaudard/CVE-2026-35045-PoC

The repository contains a functional exploit PoC for CVE-2026-35045, demonstrating a Broken Object-Level Authorization vulnerability in Tandoor Recipes. The exploit leverages a Django REST Framework behavioral gap in the `batch_update` endpoint to bypass object-level permission checks, allowing any authenticated user within a Space to modify any recipe, including private recipes owned by other users.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Tandoor Recipes ≤ 2.6.1
Auth required
Prerequisites: Authenticated user within the target Space · Knowledge of the target recipe ID
devstral-2 · analyzed Apr 28, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.1
EPSS 0.0027
EPSS Percentile 18.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull vabene1111/recipes:2.6.1

Details

CWE
CWE-639
Status published
Products (2)
tandoor/recipes < 2.6.4
TandoorRecipes/recipes < 2.6.4
Published Apr 06, 2026
Tracked Since Apr 06, 2026