CVE-2026-35489
Published: 07 April 2026
Summary
CVE-2026-35489 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Tandoor Recipes. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of amount and unit inputs in the POST /api/food/{id}/shopping/ endpoint to prevent invalid data causing exceptions or cross-tenant foreign-key associations.
Mandates proper error handling for invalid amount values to avoid unhandled exceptions resulting in HTTP 500 denial-of-service responses.
Enforces access control policies to validate unit IDs and prevent cross-space associations that leak foreign-key references across tenant boundaries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing web app endpoint enables remote exploitation (T1190) via crafted requests; invalid input causes unhandled exceptions for application DoS (T1499.004), with auth bypass allowing cross-tenant data access.
NVD Description
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/{id}/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to ShoppingListEntry.objects.create(). Invalid amount values (non-numeric strings)…
more
cause an unhandled exception and HTTP 500. A unit ID from a different Space can be associated cross-space, leaking foreign-key references across tenant boundaries. All other endpoints creating ShoppingListEntry use ShoppingListEntrySerializer, which validates and sanitizes these fields. This vulnerability is fixed in 2.6.4.
Deeper analysisAI
CVE-2026-35489 affects Tandoor Recipes, a self-hosted web application for managing recipes, planning meals, and building shopping lists, in versions prior to 2.6.4. The vulnerability resides in the POST /api/food/{id}/shopping/ endpoint, which directly reads the amount and unit fields from request.data without validation before passing them to ShoppingListEntry.objects.create(). This leads to two issues: supplying invalid (non-numeric) amount values triggers an unhandled exception resulting in an HTTP 500 error, and providing a unit ID from a different Space enables cross-space association of foreign-key references, leaking data across tenant boundaries. Unlike other endpoints that use the ShoppingListEntrySerializer for validation and sanitization, this endpoint lacks such protections. The issue carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-1284 (Improper Validation of Specified Quantity in Input).
The vulnerability is exploitable remotely over the network by unauthenticated attackers with no privileges required and low complexity. An attacker can send a crafted POST request to the vulnerable endpoint: non-numeric strings in the amount field cause a server-side crash and HTTP 500 response, enabling denial-of-service; a unit ID belonging to another tenant's Space allows improper association, potentially leaking sensitive foreign-key references and enabling cross-tenant data inference or manipulation.
The vulnerability is addressed in Tandoor Recipes version 2.6.4, as detailed in the project's release notes and GitHub security advisory GHSA-8w8h-3pv2-3554. Security practitioners should upgrade to 2.6.4 or later to apply the fix, which presumably adds proper validation via the ShoppingListEntrySerializer or equivalent sanitization to the affected endpoint.
Details
- CWE(s)