CVE-2026-35045

Name of the Vulnerable Software and Affected Versions Tandoor Recipes versions prior to 2.6.4

Description The Tandoor Recipes application, used for managing recipes, meal planning, and shopping lists, has an issue where the PUT /api/recipe/batch update/ endpoint allows authenticated users within a Space to modify any recipe in that Space, even those marked as private by other users. This circumvents object-level authorization checks, potentially leading to the forced exposure of private recipes, unauthorized access via shared lists, and metadata tampering.

Recommendations Update to version 2.6.4 or later.