CVE-2026-35488
Published: 07 April 2026
Summary
CVE-2026-35488 is a high-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Tandoor Recipes. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires enforcement of approved authorizations for access to resources, directly mitigating the flawed CustomIsShared permission class that allowed destructive HTTP methods on read-only shared RecipeBooks.
Mandates least privilege by granting only necessary access, preventing shared users from performing delete, PUT, or PATCH operations intended to be read-only.
Directly addresses software flaws like this permission bypass by requiring timely identification, reporting, and correction, as demonstrated by the patch in version 2.6.4.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Permission bypass enables unauthorized deletion/overwriting of RecipeBooks by shared users, directly facilitating data destruction and stored data manipulation.
NVD Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for all HTTP methods — including DELETE, PUT, and…
more
PATCH — without checking request.method in SAFE_METHODS. Any user who is in the shared list of a RecipeBook can delete or overwrite it, even though shared access is semantically read-only. This vulnerability is fixed in 2.6.4.
Deeper analysisAI
CVE-2026-35488 is a permission bypass vulnerability in Tandoor Recipes, an open-source application for managing recipes, planning meals, and building shopping lists. Versions prior to 2.6.4 are affected, specifically in the RecipeBookViewSet and RecipeBookEntryViewSet components. These use a CustomIsShared permission class whose has_object_permission() method returns True for all HTTP methods—including DELETE, PUT, and PATCH—without checking if the request.method is within SAFE_METHODS. This allows shared users to perform destructive actions on RecipeBooks, despite shared access being intended as read-only.
The vulnerability can be exploited by any authenticated user (PR:L) listed in a RecipeBook's shared list, over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables deletion or overwriting of the RecipeBook (I:H/A:H), with no confidentiality impact (C:N) and unchanged scope (S:U). The CVSS v3.1 base score is 8.1, mapped to CWE-749 (Exposed Dangerous Method or Function).
The issue is addressed in Tandoor Recipes version 2.6.4. Security practitioners should upgrade to this release for mitigation. Additional details are available in the GitHub release notes at https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4 and the security advisory at https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-xvmf-cfrq-4j8f.
Details
- CWE(s)