Cyber Posture

CVE-2026-35045

HighPublic PoC

Published: 06 April 2026

Published
06 April 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0004 11.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35045 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Tandoor Recipes. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-16 (Security and Privacy Attributes).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Directly mandates enforcement of approved authorizations for object-level access to recipes, preventing the batch_update endpoint from bypassing checks on private recipes owned by other users.

AC-6 Least Privilege partial match
prevent

Enforces least privilege by restricting Space users to only their own or explicitly permitted recipes, mitigating unauthorized modifications via the vulnerable batch endpoint.

AC-16 Security and Privacy Attributes partial match
prevent

Requires security attributes such as 'private' status to be associated with recipes and enforced across all endpoints, including batch updates, to block unauthorized access and tampering.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
attack.mitre.org →
T1565 Data Manipulation Impact
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Authorization bypass in public-facing web app directly enables T1190 exploitation, resulting in privilege escalation (T1068), unauthorized collection from information repositories (T1213), and stored data manipulation (T1565).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes…

more

marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4.

Deeper analysisAI

CVE-2026-35045 is an authorization bypass vulnerability in Tandoor Recipes, a self-hosted web application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint fails to enforce proper object-level access controls, allowing any authenticated user within a shared Space to modify recipes owned by other users, including those explicitly marked as private. This circumvents the authorization checks present in standard single-recipe endpoints like PUT /api/recipe/{id}/, and is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), reflecting high confidentiality and integrity impacts.

An attacker requires only low-privilege authentication as a user within the target Space to exploit this issue remotely over the network with no user interaction. Successful exploitation enables reading and modifying private recipes, injecting or altering content to force exposure, self-granting access through manipulation of shared lists, and tampering with recipe metadata. These actions could lead to unauthorized data disclosure, recipe corruption, or privilege escalation within the Space, potentially compromising the confidentiality and integrity of user-managed content across the application.

The vulnerability is addressed in Tandoor Recipes version 2.6.4, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to 2.6.4 or later, review access controls in multi-user Spaces, and audit batch update endpoints for similar bypasses in custom deployments. Relevant resources include the GitHub release at https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4 and the advisory at https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5.

Details

CWE(s)
CWE-639

Affected Products

tandoor
recipes
≤ 2.6.4

CVEs Like This One

CVE-2026-35489Same product: Tandoor Recipes
CVE-2026-33149Same product: Tandoor Recipes
CVE-2025-23211Same product: Tandoor Recipes
CVE-2026-33152Same product: Tandoor Recipes
CVE-2025-23213Same product: Tandoor Recipes
CVE-2025-23212Same product: Tandoor Recipes
CVE-2026-35488Same product: Tandoor Recipes
CVE-2026-25991Same product: Tandoor Recipes
CVE-2026-34055Shared CWE-639
CVE-2026-33678Shared CWE-639

References