{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/data-modification/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-35488"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tandoor Recipes"],"_cs_severities":["high"],"_cs_tags":["CVE-2026-35488","Tandoor Recipes","Unauthorized Access","Data Modification"],"_cs_type":"advisory","_cs_vendors":["Tandoor"],"content_html":"\u003cp\u003eTandoor Recipes, a popular application used for managing recipes, planning meals, and building shopping lists, contains a critical vulnerability (CVE-2026-35488) in versions prior to 2.6.4. The vulnerability stems from improper permission handling within the \u003ccode\u003eCustomIsShared\u003c/code\u003e permission class in the \u003ccode\u003eRecipeBookViewSet\u003c/code\u003e and \u003ccode\u003eRecipeBookEntryViewSet\u003c/code\u003e. Specifically, the \u003ccode\u003ehas_object_permission()\u003c/code\u003e method incorrectly returns \u003ccode\u003eTrue\u003c/code\u003e for all HTTP methods, including \u003ccode\u003eDELETE\u003c/code\u003e, \u003ccode\u003ePUT\u003c/code\u003e, and \u003ccode\u003ePATCH\u003c/code\u003e, without validating if the request method is considered a \u003ccode\u003eSAFE_METHODS\u003c/code\u003e (e.g., \u003ccode\u003eGET\u003c/code\u003e, \u003ccode\u003eHEAD\u003c/code\u003e, \u003ccode\u003eOPTIONS\u003c/code\u003e). This oversight allows any user included on the shared list of a \u003ccode\u003eRecipeBook\u003c/code\u003e to not only view but also delete or overwrite the book's contents, even though shared access is semantically intended to be read-only. This poses a significant risk of data loss and unauthorized modification of user data. The vulnerability is addressed in version 2.6.4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains legitimate access to a Tandoor Recipes instance.\u003c/li\u003e\n\u003cli\u003eA victim creates a RecipeBook and shares it with the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the API endpoint for RecipeBook modification (e.g., \u003ccode\u003e/api/recipebooks/{id}\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP PUT request to modify the RecipeBook, bypassing intended permission checks.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted PUT request to the Tandoor Recipes server, including data to overwrite existing recipe information.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a malicious HTTP DELETE request to delete the RecipeBook, also bypassing permission checks.\u003c/li\u003e\n\u003cli\u003eThe server processes the unauthorized PUT or DELETE request due to the flawed CustomIsShared permission class.\u003c/li\u003e\n\u003cli\u003eThe RecipeBook is either modified with the attacker's data or completely deleted, leading to data loss or corruption for the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35488 allows any user with shared access to a RecipeBook to completely overwrite or delete it. This leads to a complete loss of recipe data for the owner and any other shared users. Given the nature of Tandoor Recipes, the impact is primarily data loss and corruption of personal data; however, in scenarios where Tandoor Recipes is used in a collaborative or professional environment (e.g., a restaurant managing recipes), the impact could extend to operational disruption. While the exact number of vulnerable installations is unknown, the wide adoption of Tandoor Recipes suggests a potentially large user base at risk prior to upgrading to version 2.6.4.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Tandoor Recipes to version 2.6.4 or later to remediate CVE-2026-35488.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Tandoor RecipeBook Unauthorized Modification\u0026quot; to identify potential exploitation attempts targeting the RecipeBook API endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for PUT/PATCH/DELETE requests to RecipeBook API endpoints originating from users with only shared access, as indicated by anomalous HTTP request patterns related to RecipeBook IDs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipe-overwrite/","summary":"Tandoor Recipes versions prior to 2.6.4 allow unauthorized modification and deletion of RecipeBooks due to a flaw in the CustomIsShared permission class which grants write access to shared users regardless of intended read-only permissions.","title":"Tandoor Recipes Unauthorized RecipeBook Modification Vulnerability (CVE-2026-35488)","url":"https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipe-overwrite/"}],"language":"en","title":"CraftedSignal Threat Feed - Data Modification","version":"https://jsonfeed.org/version/1.1"}