Improper Permissions in Tandoor Recipes Application
CVE-2026-35488

8.1HIGH

Key Information:

Vendor: Tandoorrecipes
Status: Recipes
Vendor: CVE Published:; 7 April 2026

🔔 Create Tandoorrecipes Vulnerability Alert

What is CVE-2026-35488?

The Tandoor Recipes application contains a vulnerability related to improper permission management within the RecipeBookViewSet and RecipeBookEntryViewSet components. Prior to version 2.6.4, the CustomIsShared permission class failed to adequately restrict access to sensitive operations, allowing users listed in a RecipeBook's shared access to perform actions such as DELETE, PUT, and PATCH, which should only be allowed for owners. This flaw undermines the intended read-only access model for shared recipe books, exposing them to potential unauthorized modifications. The issue has been rectified in version 2.6.4.

Affected Version(s)

recipes < 2.6.4

References

https://github.com/TandoorRecipes/recipes/security/adviso...

x_refsource_CONFIRM

https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35488 Data

JSON