CVE-2026-35488 Overview
CVE-2026-35488 is a broken access control vulnerability in Tandoor Recipes, an open-source application for managing recipes, planning meals, and building shopping lists. The vulnerability exists in the RecipeBookViewSet and RecipeBookEntryViewSet components, which improperly implement the CustomIsShared permission class. This flaw allows users with shared read-only access to a RecipeBook to perform destructive operations such as DELETE, PUT, and PATCH requests, effectively overwriting or deleting recipe books they should only be able to view.
Critical Impact
Any authenticated user with shared access to a RecipeBook can delete or completely overwrite it, bypassing the intended read-only semantics of shared access.
Affected Products
- Tandoor Recipes versions prior to 2.6.4
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35488 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35488
Vulnerability Analysis
This vulnerability stems from improper access control enforcement in the Django REST Framework permission classes used by Tandoor Recipes. The CustomIsShared permission class is designed to allow users on a shared list to access recipe books, but it fails to properly restrict the HTTP methods available to those users.
The core issue lies in the has_object_permission() method of CustomIsShared, which unconditionally returns True for all HTTP methods. In a properly implemented permission class, this method should verify that the incoming request method is in the SAFE_METHODS tuple (GET, HEAD, OPTIONS) before granting access to shared users. Without this check, users who are supposed to have read-only access through sharing can execute write operations including PUT (full update), PATCH (partial update), and DELETE.
This represents a classic broken access control pattern (CWE-749: Exposed Dangerous Method or Function) where the application exposes functionality to users beyond their intended privilege level.
Root Cause
The root cause is the missing conditional check in CustomIsShared.has_object_permission() that should verify request.method in SAFE_METHODS before returning True. The permission class treats all authenticated shared users equally regardless of the HTTP method being invoked, creating an authorization bypass that allows write and delete operations on resources that should be read-only for shared users.
Attack Vector
An attacker who has been granted shared access to a RecipeBook can exploit this vulnerability through the following attack flow:
- The attacker obtains shared access to a target RecipeBook through legitimate sharing functionality
- Using the API endpoints for RecipeBookViewSet or RecipeBookEntryViewSet, the attacker sends DELETE, PUT, or PATCH requests
- The CustomIsShared permission class incorrectly authorizes these requests because it only verifies the user is on the shared list without validating the HTTP method
- The attacker can now delete entire recipe books or overwrite their contents, causing data loss for the legitimate owner
This attack requires network access and a low-privileged authenticated user account with shared access to at least one RecipeBook. No user interaction is required to exploit the vulnerability once the attacker has shared access.
Detection Methods for CVE-2026-35488
Indicators of Compromise
- Unexpected DELETE, PUT, or PATCH requests to /api/recipe-book/ or /api/recipe-book-entry/ endpoints from users who only have shared (read) access
- Audit logs showing recipe book modifications or deletions by users other than the owner
- User reports of missing or modified recipe books that were shared with other users
- API access logs showing write operations from IP addresses associated with shared users
Detection Strategies
- Implement API request logging that captures HTTP method, authenticated user, and target resource ownership
- Monitor for anomalous patterns where users perform write operations on resources they don't own
- Review Django REST Framework permission class implementations for similar patterns where has_object_permission() returns True without method validation
- Deploy web application firewalls (WAF) with rules to detect unauthorized write attempts on shared resources
Monitoring Recommendations
- Enable detailed API audit logging for all recipe book and entry modification operations
- Set up alerts for DELETE/PUT/PATCH operations on resources where the requesting user is not the owner
- Regularly review access control implementations in custom permission classes
- Monitor application logs for unexpected 2xx responses to write operations from shared users
How to Mitigate CVE-2026-35488
Immediate Actions Required
- Upgrade Tandoor Recipes to version 2.6.4 or later immediately
- Review audit logs for any unauthorized modifications to shared recipe books
- Temporarily disable or restrict the sharing functionality if immediate patching is not possible
- Notify users who have shared recipe books about potential unauthorized modifications
Patch Information
The vulnerability has been fixed in Tandoor Recipes version 2.6.4. The fix modifies the CustomIsShared.has_object_permission() method to properly check that the request method is in SAFE_METHODS before granting access to shared users. This ensures that users with shared access can only perform read operations (GET, HEAD, OPTIONS) on recipe books, preserving the intended read-only semantics.
For detailed information about the fix, refer to the GitHub Security Advisory GHSA-xvmf-cfrq-4j8f and the GitHub Release for 2.6.4.
Workarounds
- Disable or remove sharing functionality for recipe books until the patch can be applied
- Implement network-level access controls to restrict API access to trusted users only
- Deploy a reverse proxy or WAF rule to block DELETE/PUT/PATCH requests to affected endpoints from non-owner users
- Review and revoke shared access permissions for sensitive recipe books as a temporary measure
# Upgrade Tandoor Recipes to the patched version
# Using Docker (recommended deployment method)
docker pull vabene1111/recipes:2.6.4
docker-compose down
docker-compose up -d
# Verify the version after upgrade
docker exec -it tandoor_recipes python manage.py shell -c "import recipes; print(recipes.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
