CVE-2026-35045Tandoor · Recipes
Vulnerability data via NVD (ingested)
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-35045product:"Tandoor Recipes"http.html:"Recipes"More intel sources (5)
vuln:CVE-2026-35045vulnerabilities.cve_id: CVE-2026-35045CVE-2026-35045CVE-2026-35045"CVE-2026-35045" exploit -site:nvd.nist.gov