<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Data Modification - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/data-modification/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 23 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/data-modification/feed.xml" rel="self" type="application/rss+xml"/><item><title>Tandoor Recipes Unauthorized RecipeBook Modification Vulnerability (CVE-2026-35488)</title><link>https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipe-overwrite/</link><pubDate>Tue, 23 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipe-overwrite/</guid><description>Tandoor Recipes versions prior to 2.6.4 allow unauthorized modification and deletion of RecipeBooks due to a flaw in the CustomIsShared permission class which grants write access to shared users regardless of intended read-only permissions.</description><content:encoded><![CDATA[<p>Tandoor Recipes, a popular application used for managing recipes, planning meals, and building shopping lists, contains a critical vulnerability (CVE-2026-35488) in versions prior to 2.6.4. The vulnerability stems from improper permission handling within the <code>CustomIsShared</code> permission class in the <code>RecipeBookViewSet</code> and <code>RecipeBookEntryViewSet</code>. Specifically, the <code>has_object_permission()</code> method incorrectly returns <code>True</code> for all HTTP methods, including <code>DELETE</code>, <code>PUT</code>, and <code>PATCH</code>, without validating if the request method is considered a <code>SAFE_METHODS</code> (e.g., <code>GET</code>, <code>HEAD</code>, <code>OPTIONS</code>). This oversight allows any user included on the shared list of a <code>RecipeBook</code> to not only view but also delete or overwrite the book's contents, even though shared access is semantically intended to be read-only. This poses a significant risk of data loss and unauthorized modification of user data. The vulnerability is addressed in version 2.6.4.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains legitimate access to a Tandoor Recipes instance.</li>
<li>A victim creates a RecipeBook and shares it with the attacker.</li>
<li>The attacker identifies the API endpoint for RecipeBook modification (e.g., <code>/api/recipebooks/{id}</code>).</li>
<li>The attacker crafts a malicious HTTP PUT request to modify the RecipeBook, bypassing intended permission checks.</li>
<li>The attacker sends the crafted PUT request to the Tandoor Recipes server, including data to overwrite existing recipe information.</li>
<li>Alternatively, the attacker crafts a malicious HTTP DELETE request to delete the RecipeBook, also bypassing permission checks.</li>
<li>The server processes the unauthorized PUT or DELETE request due to the flawed CustomIsShared permission class.</li>
<li>The RecipeBook is either modified with the attacker's data or completely deleted, leading to data loss or corruption for the victim.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-35488 allows any user with shared access to a RecipeBook to completely overwrite or delete it. This leads to a complete loss of recipe data for the owner and any other shared users. Given the nature of Tandoor Recipes, the impact is primarily data loss and corruption of personal data; however, in scenarios where Tandoor Recipes is used in a collaborative or professional environment (e.g., a restaurant managing recipes), the impact could extend to operational disruption. While the exact number of vulnerable installations is unknown, the wide adoption of Tandoor Recipes suggests a potentially large user base at risk prior to upgrading to version 2.6.4.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Tandoor Recipes to version 2.6.4 or later to remediate CVE-2026-35488.</li>
<li>Deploy the Sigma rule &quot;Detect Tandoor RecipeBook Unauthorized Modification&quot; to identify potential exploitation attempts targeting the RecipeBook API endpoint.</li>
<li>Monitor web server logs for PUT/PATCH/DELETE requests to RecipeBook API endpoints originating from users with only shared access, as indicated by anomalous HTTP request patterns related to RecipeBook IDs.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>CVE-2026-35488</category><category>Tandoor Recipes</category><category>Unauthorized Access</category><category>Data Modification</category></item></channel></rss>