Home / Vulnerability Intelligence / CVE-2026-35045

CVE-2026-35045 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: April 6, 2026

Tandoor Recipes - Broken Access Control

Published: April 6, 2026Updated: April 6, 2026PoC AvailableRemote Exploitable

Overview

Tandoor Recipes < 2.6.4 contains a broken access control vulnerability caused by insufficient authorization checks in the PUT /api/recipe/batch_update/ endpoint, letting authenticated users modify any recipe in a Space, including private ones, exploit requires user authentication within the Space.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Authenticated users can modify private recipes of others, exposing sensitive data and tampering with metadata.

Mitigation

Upgrade to version 2.6.4 or later.

References

https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4
https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-35045
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: new

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N