Input Validation Flaw in Tandoor Recipes Application
CVE-2026-35489

7.3HIGH

Key Information:

Vendor: Tandoorrecipes
Status: Recipes
Vendor: CVE Published:; 7 April 2026

🔔 Create Tandoorrecipes Vulnerability Alert

What is CVE-2026-35489?

Tandoor Recipes, a tool for recipe management and meal planning, experienced an input validation issue in versions prior to 2.6.4. The vulnerability exists in the POST /api/food/{id}/shopping/ endpoint, where data is not properly validated before being processed. This flaw can lead to unhandled exceptions when invalid input, such as non-numeric strings for quantity, is sent, resulting in a 500 HTTP error. Additionally, unauthorized access can occur as unit IDs from different spaces may be improperly linked, allowing cross-tenant data exposure. The issue has been addressed in version 2.6.4 with enhanced validation mechanisms.

Affected Version(s)

recipes < 2.6.4

References

https://github.com/TandoorRecipes/recipes/security/adviso...

x_refsource_CONFIRM

https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35489 Data

JSON