Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0958

NIXPKGS-2026-0958
published on
Permalink CVE-2026-35045
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 1 week ago by @ADMIN Activity log
  • Created suggestion 3 weeks, 1 day ago
  • @LeSuisse ignored package gnome-recipes 3 weeks ago
  • @LeSuisse deleted maintainer @jvanbruegge 3 weeks ago maintainer.delete
  • @LeSuisse accepted 3 weeks ago
  • @LeSuisse published on GitHub 3 weeks ago
  • @LeSuisse accepted 3 weeks ago
  • @ADMIN published on GitHub 1 week ago
Tandoor Recipes Affected by Private Recipe Exposure and Unauthorized Modification

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4.

Affected products

recipes
  • ==< 2.6.4

Matching in nixpkgs

pkgs.tandoor-recipes

Application for managing recipes, planning meals, building shopping lists and much much more!

Ignored packages (1)

Package maintainers

Ignored maintainers (1)