Nixpkgs security tracker

Login with GitHub

Suggestion detail

Accepted
Permalink CVE-2026-35045
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 1 week, 1 day ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 2 days ago
  • @LeSuisse ignored package gnome-recipes 1 week, 1 day ago
  • @LeSuisse deleted maintainer @jvanbruegge 1 week, 1 day ago maintainer.delete
  • @LeSuisse accepted 1 week, 1 day ago
  • @LeSuisse published on GitHub 1 week, 1 day ago
  • @LeSuisse accepted 1 week, 1 day ago
Tandoor Recipes Affected by Private Recipe Exposure and Unauthorized Modification

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4.

Affected products

recipes
  • ==< 2.6.4

Matching in nixpkgs

pkgs.tandoor-recipes

Application for managing recipes, planning meals, building shopping lists and much much more!

Ignored packages (1)

Package maintainers

Ignored maintainers (1)