CVE-2026-35489 Overview
CVE-2026-35489 is an input validation vulnerability affecting Tandoor Recipes, an open-source application for managing recipes, planning meals, and building shopping lists. The vulnerability exists in the POST /api/food/{id}/shopping/ endpoint, which fails to properly validate user-supplied input before passing it to the database creation method. This flaw allows attackers to cause denial of service conditions through unhandled exceptions and potentially leak cross-tenant data by associating unit IDs from different Spaces (tenant boundaries).
Critical Impact
Attackers can exploit this vulnerability to cause HTTP 500 errors through invalid input and bypass multi-tenant isolation by referencing foreign-key data from other Spaces, leading to information disclosure across tenant boundaries.
Affected Products
- Tandoor Recipes versions prior to 2.6.4
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35489 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35489
Vulnerability Analysis
This vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), which occurs when the application uses user-controlled input to directly reference database objects without proper authorization checks. In Tandoor Recipes, the vulnerable endpoint reads the amount and unit parameters directly from request data and passes them to ShoppingListEntry.objects.create() without validation.
The lack of input validation creates two distinct attack scenarios. First, supplying non-numeric strings for the amount field causes an unhandled exception, resulting in an HTTP 500 response and potential denial of service. Second, and more critically, an attacker can specify a unit ID that belongs to a different Space (tenant), allowing cross-space foreign-key references that violate the application's multi-tenant isolation model.
This inconsistency is particularly notable because all other endpoints that create ShoppingListEntry objects use the ShoppingListEntrySerializer, which properly validates and sanitizes these fields. The vulnerable endpoint bypasses this serializer, directly exposing the underlying database operation to untrusted input.
Root Cause
The root cause of this vulnerability is the inconsistent application of input validation across the codebase. While the ShoppingListEntrySerializer provides proper validation for amount and unit fields in other parts of the application, the POST /api/food/{id}/shopping/ endpoint directly accesses request.data and passes these values to the Django ORM without leveraging the serializer's validation logic. This creates an authorization bypass where tenant boundaries (Spaces) are not enforced for the unit foreign-key relationship.
Attack Vector
The attack is network-based and requires no authentication in certain configurations. An attacker can craft malicious POST requests to the /api/food/{id}/shopping/ endpoint with either invalid amount values to trigger unhandled exceptions or valid unit IDs from other Spaces to leak cross-tenant references.
For the denial of service attack, an attacker sends a request with a non-numeric string in the amount field, causing the database layer to throw an exception that propagates as an HTTP 500 error. For the cross-space data leakage, an attacker enumerates or guesses unit IDs from other tenant Spaces and includes them in requests, which are then accepted and stored without proper authorization validation.
The vulnerability mechanism involves direct parameter passing from user input to the ORM create method, bypassing the serializer validation layer. Technical details are available in the GitHub Security Advisory.
Detection Methods for CVE-2026-35489
Indicators of Compromise
- Unusual HTTP 500 errors originating from the /api/food/{id}/shopping/ endpoint
- Log entries showing database exceptions related to invalid amount field values
- Shopping list entries containing unit references that do not belong to the current Space
- Suspicious API requests with non-numeric amount parameters or sequential unit ID enumeration patterns
Detection Strategies
- Monitor application logs for unhandled exceptions in the shopping list creation functionality
- Implement alerting for elevated HTTP 500 error rates on the /api/food/ API endpoints
- Audit database records for cross-Space foreign-key references in ShoppingListEntry objects
- Deploy web application firewall rules to detect and block requests with invalid input patterns
Monitoring Recommendations
- Enable detailed logging for all API endpoints handling shopping list operations
- Configure alerting thresholds for HTTP 500 error spikes that may indicate exploitation attempts
- Implement database integrity checks to identify cross-tenant data references
- Review access logs for patterns of sequential ID enumeration targeting the vulnerable endpoint
How to Mitigate CVE-2026-35489
Immediate Actions Required
- Upgrade Tandoor Recipes to version 2.6.4 or later immediately
- Review existing ShoppingListEntry records for cross-Space unit references that may indicate prior exploitation
- Implement rate limiting on the /api/food/{id}/shopping/ endpoint to reduce denial of service impact
- Consider temporarily restricting access to the vulnerable endpoint if immediate patching is not possible
Patch Information
The vulnerability has been fixed in Tandoor Recipes version 2.6.4. The patch ensures that the POST /api/food/{id}/shopping/ endpoint properly validates and sanitizes the amount and unit fields before database operations, consistent with other endpoints that use ShoppingListEntrySerializer. Users should upgrade to this version or later to remediate the vulnerability. Release notes are available at the GitHub Release Notes.
Workarounds
- Implement a reverse proxy rule to validate amount field as numeric before requests reach the application
- Deploy a web application firewall to filter requests with invalid input patterns to the shopping API
- Restrict API access to authenticated and authorized users only until patching can be completed
- Monitor and audit ShoppingListEntry creation events for anomalous cross-Space references
If immediate patching is not feasible, administrators should consider restricting access to the vulnerable endpoint at the network or reverse proxy level until the upgrade can be applied. Consult the GitHub Security Advisory for additional mitigation guidance.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
