NIXPKGS-2026-0956

GitHub issue published 2 months, 2 weeks ago

Permalink CVE-2026-35488

8.1 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 2 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 2 weeks ago
@LeSuisse ignored package gnome-recipes 2 months, 2 weeks ago
@LeSuisse deleted maintainer @jvanbruegge 2 months, 2 weeks ago maintainer.delete
@LeSuisse accepted 2 months, 2 weeks ago
@LeSuisse published on GitHub 2 months, 2 weeks ago

Tandoor Recipes — CustomIsShared permits DELETE/PUT on RecipeBook by shared (read-only) users

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for all HTTP methods — including DELETE, PUT, and PATCH — without checking request.method in SAFE_METHODS. Any user who is in the shared list of a RecipeBook can delete or overwrite it, even though shared access is semantically read-only. This vulnerability is fixed in 2.6.4.