CVE-2026-35488

Name of the Vulnerable Software and Affected Versions Tandoor Recipes versions prior to 2.6.4

Description Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as a permission class. The CustomIsShared.has object permission() function incorrectly returns True for all HTTP methods (DELETE, PUT, and PATCH) without verifying if the request method is within the list of safe methods (SAFE METHODS). This allows any user in a RecipeBook's shared list to delete or modify it, despite shared access being intended as read-only.

Recommendations Update to version 2.6.4 or later.