Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0956

NIXPKGS-2026-0956
published on
Permalink CVE-2026-35488
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 3 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 weeks ago
  • @LeSuisse ignored package gnome-recipes 3 weeks ago
  • @LeSuisse deleted maintainer @jvanbruegge 3 weeks ago maintainer.delete
  • @LeSuisse accepted 3 weeks ago
  • @LeSuisse published on GitHub 3 weeks ago
Tandoor Recipes — CustomIsShared permits DELETE/PUT on RecipeBook by shared (read-only) users

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for all HTTP methods — including DELETE, PUT, and PATCH — without checking request.method in SAFE_METHODS. Any user who is in the shared list of a RecipeBook can delete or overwrite it, even though shared access is semantically read-only. This vulnerability is fixed in 2.6.4.

Affected products

recipes
  • ==< 2.6.4

Matching in nixpkgs

pkgs.tandoor-recipes

Application for managing recipes, planning meals, building shopping lists and much much more!

Ignored packages (1)

Package maintainers

Ignored maintainers (1)