{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/tandoor-recipes/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-35045"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tandoor Recipes"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","web-application","tandoor-recipes"],"_cs_type":"advisory","_cs_vendors":["Tandoor Recipes"],"content_html":"\u003cp\u003eTandoor Recipes, an application for managing recipes, planning meals, and building shopping lists, contains an authentication bypass vulnerability. Specifically, versions prior to 2.6.4 are susceptible to CVE-2026-35045. This flaw enables any authenticated user within a shared Space to modify any recipe within that Space, regardless of the recipe's privacy settings. The vulnerability stems from a lack of object-level authorization checks on the \u003ccode\u003e/api/recipe/batch_update/\u003c/code\u003e endpoint, contrasting with the more restrictive single-recipe endpoints (PUT \u003ccode\u003e/api/recipe/{id}/\u003c/code\u003e). This allows attackers to force the exposure of private recipes, grant themselves unauthorized access, and tamper with recipe metadata. Defenders should prioritize upgrading Tandoor Recipes to version 2.6.4 to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to a Tandoor Recipes instance.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a Space containing recipes they wish to modify, including private recipes.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003ePUT\u003c/code\u003e request to the \u003ccode\u003e/api/recipe/batch_update/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a payload designed to modify the target recipe (e.g., changing the recipe name, ingredients, or privacy settings).\u003c/li\u003e\n\u003cli\u003eThe application, lacking proper authorization checks on this endpoint, processes the request.\u003c/li\u003e\n\u003cli\u003eThe target recipe is modified according to the attacker's specifications, bypassing intended privacy restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker can then exfiltrate or further manipulate the recipe data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35045 can lead to the unauthorized disclosure of private recipes, potentially containing sensitive personal information or proprietary culinary techniques. It can also facilitate the tampering of recipe data, leading to incorrect or malicious instructions. This vulnerability affects all Tandoor Recipes instances running versions prior to 2.6.4 and accessible to authenticated users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Tandoor Recipes to version 2.6.4 or later to patch CVE-2026-35045.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Tandoor Recipe Batch Update\u003c/code\u003e to monitor for suspicious requests to the \u003ccode\u003e/api/recipe/batch_update/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview webserver access logs for unusual PUT requests targeting the \u003ccode\u003e/api/recipe/batch_update/\u003c/code\u003e endpoint after authentication, to identify possible exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-27T12:00:00Z","date_published":"2024-01-27T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipe-auth-bypass/","summary":"Tandoor Recipes before version 2.6.4 allows authenticated users within a space to modify any recipe in that space, including private ones, via the PUT /api/recipe/batch_update/ endpoint, bypassing object-level authorization checks and enabling unauthorized access and data tampering.","title":"Tandoor Recipes Authentication Bypass Vulnerability (CVE-2026-35045)","url":"https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipe-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-35488"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tandoor Recipes"],"_cs_severities":["high"],"_cs_tags":["CVE-2026-35488","Tandoor Recipes","Unauthorized Access","Data Modification"],"_cs_type":"advisory","_cs_vendors":["Tandoor"],"content_html":"\u003cp\u003eTandoor Recipes, a popular application used for managing recipes, planning meals, and building shopping lists, contains a critical vulnerability (CVE-2026-35488) in versions prior to 2.6.4. The vulnerability stems from improper permission handling within the \u003ccode\u003eCustomIsShared\u003c/code\u003e permission class in the \u003ccode\u003eRecipeBookViewSet\u003c/code\u003e and \u003ccode\u003eRecipeBookEntryViewSet\u003c/code\u003e. Specifically, the \u003ccode\u003ehas_object_permission()\u003c/code\u003e method incorrectly returns \u003ccode\u003eTrue\u003c/code\u003e for all HTTP methods, including \u003ccode\u003eDELETE\u003c/code\u003e, \u003ccode\u003ePUT\u003c/code\u003e, and \u003ccode\u003ePATCH\u003c/code\u003e, without validating if the request method is considered a \u003ccode\u003eSAFE_METHODS\u003c/code\u003e (e.g., \u003ccode\u003eGET\u003c/code\u003e, \u003ccode\u003eHEAD\u003c/code\u003e, \u003ccode\u003eOPTIONS\u003c/code\u003e). This oversight allows any user included on the shared list of a \u003ccode\u003eRecipeBook\u003c/code\u003e to not only view but also delete or overwrite the book's contents, even though shared access is semantically intended to be read-only. This poses a significant risk of data loss and unauthorized modification of user data. The vulnerability is addressed in version 2.6.4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains legitimate access to a Tandoor Recipes instance.\u003c/li\u003e\n\u003cli\u003eA victim creates a RecipeBook and shares it with the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the API endpoint for RecipeBook modification (e.g., \u003ccode\u003e/api/recipebooks/{id}\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP PUT request to modify the RecipeBook, bypassing intended permission checks.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted PUT request to the Tandoor Recipes server, including data to overwrite existing recipe information.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a malicious HTTP DELETE request to delete the RecipeBook, also bypassing permission checks.\u003c/li\u003e\n\u003cli\u003eThe server processes the unauthorized PUT or DELETE request due to the flawed CustomIsShared permission class.\u003c/li\u003e\n\u003cli\u003eThe RecipeBook is either modified with the attacker's data or completely deleted, leading to data loss or corruption for the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35488 allows any user with shared access to a RecipeBook to completely overwrite or delete it. This leads to a complete loss of recipe data for the owner and any other shared users. Given the nature of Tandoor Recipes, the impact is primarily data loss and corruption of personal data; however, in scenarios where Tandoor Recipes is used in a collaborative or professional environment (e.g., a restaurant managing recipes), the impact could extend to operational disruption. While the exact number of vulnerable installations is unknown, the wide adoption of Tandoor Recipes suggests a potentially large user base at risk prior to upgrading to version 2.6.4.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Tandoor Recipes to version 2.6.4 or later to remediate CVE-2026-35488.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Tandoor RecipeBook Unauthorized Modification\u0026quot; to identify potential exploitation attempts targeting the RecipeBook API endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for PUT/PATCH/DELETE requests to RecipeBook API endpoints originating from users with only shared access, as indicated by anomalous HTTP request patterns related to RecipeBook IDs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipe-overwrite/","summary":"Tandoor Recipes versions prior to 2.6.4 allow unauthorized modification and deletion of RecipeBooks due to a flaw in the CustomIsShared permission class which grants write access to shared users regardless of intended read-only permissions.","title":"Tandoor Recipes Unauthorized RecipeBook Modification Vulnerability (CVE-2026-35488)","url":"https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipe-overwrite/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tandoor Recipes"],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-33152","tandoor-recipes","password-guessing","credential-access"],"_cs_type":"advisory","_cs_vendors":["Tandoor Recipes"],"content_html":"\u003cp\u003eTandoor Recipes, a recipe management and meal planning application, is susceptible to a critical vulnerability (CVE-2026-33152) in versions prior to 2.6.0. The application's configuration of Django REST Framework with BasicAuthentication as a default authentication backend, combined with insufficient rate limiting, creates a significant security risk. The AllAuth rate limiting (ACCOUNT_RATE_LIMITS: login: 5/m/ip) is only applied to the HTML login endpoint (/accounts/login/), leaving API endpoints unprotected. This allows attackers to bypass rate limiting and account lockout mechanisms by sending authentication requests directly to the API. This vulnerability enables an attacker to perform unlimited password attempts against valid usernames, potentially gaining unauthorized access to user accounts and sensitive data. Tandoor Recipes version 2.6.0 addresses this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Tandoor Recipes instance running a version prior to 2.6.0.\u003c/li\u003e\n\u003cli\u003eThe attacker discovers valid usernames through OSINT techniques or by leveraging other vulnerabilities (not described in source).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts HTTP requests with \u003ccode\u003eAuthorization: Basic\u003c/code\u003e headers targeting an API endpoint that accepts authenticated requests.\u003c/li\u003e\n\u003cli\u003eThe attacker sends multiple requests with different password guesses using a scripting language like Python and the \u003ccode\u003erequests\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe Tandoor Recipes server authenticates the request if the credentials match a valid user.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains access to the targeted user's account.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses, modifies, or exfiltrates recipes, meal plans, shopping lists, and potentially other user data.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other user accounts if sufficient privileges exist, further expanding their access and potential damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33152 allows attackers to compromise user accounts on vulnerable Tandoor Recipes instances. This can lead to unauthorized access to sensitive user data, including personal recipes, meal plans, and shopping lists. Depending on the application's deployment and user permissions, attackers may also be able to modify data, add malicious content, or pivot to other systems. The lack of rate limiting makes password guessing attacks highly effective, increasing the risk of widespread account compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Tandoor Recipes instances to version 2.6.0 or later to patch CVE-2026-33152.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on API endpoints that accept BasicAuthentication, independent of AllAuth's HTML login rate limiting.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Tandoor Recipes Basic Authentication Brute Force\u003c/code\u003e to identify potential password guessing attempts against Tandoor Recipes instances in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for excessive \u003ccode\u003eAuthorization: Basic\u003c/code\u003e header usage targeting Tandoor Recipes API endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-tandoor-password-guessing/","summary":"Tandoor Recipes before 2.6.0 allows unauthenticated attackers to perform high-speed password guessing attacks against any known username due to improper rate limiting on API endpoints using BasicAuthentication.","title":"Tandoor Recipes Unauthenticated Password Guessing Vulnerability (CVE-2026-33152)","url":"https://feed.craftedsignal.io/briefs/2024-01-09-tandoor-password-guessing/"}],"language":"en","title":"CraftedSignal Threat Feed - Tandoor Recipes","version":"https://jsonfeed.org/version/1.1"}