CVE-2026-28503

Name of the Vulnerable Software and Affected Versions Tandoor Recipes versions prior to 2.6.0

Description Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the SyncViewSet.query synced folder() action in cookbook/views/api.py (line 903) fetches a Sync object using get object or 404(Sync, pk=pk) without including space=request.space in the filter. This allows an admin user in Space A to trigger sync operations (Dropbox/Nextcloud/Local import) on Sync configurations belonging to Space B, and view the resulting sync logs. The API endpoint involved is SyncViewSet.query synced folder(). The vulnerable parameter is pk.

Recommendations Update to version 2.6.0 or later.