Cyber Resilience

CVE-2026-35489

HighPublic PoC

Published: 07 April 2026

Published
07 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0020 42.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35489 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Tandoor Recipes. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-35489 affects Tandoor Recipes, a self-hosted web application for managing recipes, planning meals, and building shopping lists, in versions prior to 2.6.4. The vulnerability resides in the POST /api/food/{id}/shopping/ endpoint, which directly reads the amount and unit fields from request.data without validation before passing them to ShoppingListEntry.objects.create(). This leads to two issues: supplying invalid (non-numeric) amount values triggers an unhandled exception resulting in an HTTP 500 error, and providing a unit ID from a different Space enables cross-space association of foreign-key references, leaking data across tenant boundaries. Unlike other endpoints that use the ShoppingListEntrySerializer for validation and sanitization, this endpoint lacks such protections. The issue carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-1284 (Improper Validation of Specified Quantity in Input).

The vulnerability is exploitable remotely over the network by unauthenticated attackers with no privileges required and low complexity. An attacker can send a crafted POST request to the vulnerable endpoint: non-numeric strings in the amount field cause a server-side crash and HTTP 500 response, enabling denial-of-service; a unit ID belonging to another tenant's Space allows improper association, potentially leaking sensitive foreign-key references and enabling cross-tenant data inference or manipulation.

The vulnerability is addressed in Tandoor Recipes version 2.6.4, as detailed in the project's release notes and GitHub security advisory GHSA-8w8h-3pv2-3554. Security practitioners should upgrade to 2.6.4 or later to apply the fix, which presumably adds proper validation via the ShoppingListEntrySerializer or equivalent sanitization to the affected endpoint.

EU & UK References

Vulnerability details

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to ShoppingListEntry.objects.create(). Invalid amount values (non-numeric strings)…

more

cause an unhandled exception and HTTP 500. A unit ID from a different Space can be associated cross-space, leaking foreign-key references across tenant boundaries. All other endpoints creating ShoppingListEntry use ShoppingListEntrySerializer, which validates and sanitizes these fields. This vulnerability is fixed in 2.6.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in public-facing web app endpoint enables remote exploitation (T1190) via crafted requests; invalid input causes unhandled exceptions for application DoS (T1499.004), with auth bypass allowing cross-tenant data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35045Same product: Tandoor Recipes
CVE-2026-33149Same product: Tandoor Recipes
CVE-2025-23211Same product: Tandoor Recipes
CVE-2026-33152Same product: Tandoor Recipes
CVE-2026-25991Same product: Tandoor Recipes
CVE-2026-35488Same product: Tandoor Recipes
CVE-2025-23212Same product: Tandoor Recipes
CVE-2025-23213Same product: Tandoor Recipes
CVE-2026-22383Shared CWE-639
CVE-2023-54337Shared CWE-1284

Affected Assets

tandoor
recipes
≤ 2.6.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of amount and unit inputs in the POST /api/food/{id}/shopping/ endpoint to prevent invalid data causing exceptions or cross-tenant foreign-key associations.

prevent

Mandates proper error handling for invalid amount values to avoid unhandled exceptions resulting in HTTP 500 denial-of-service responses.

prevent

Enforces access control policies to validate unit IDs and prevent cross-space associations that leak foreign-key references across tenant boundaries.

References