Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint …

CVE-2026-35045 affects Tandoor Recipes application versions prior to 2.6.4. The vulnerability exists in the PUT /api/recipe/batch_update/ endpoint which allows any authenticated user within a Space to modify any recipe in that Space, including private recipes owned by other users. This bypasses object-level authorization checks that are properly enforced on single-recipe endpoints. The flaw enables forced exposure of private recipes, unauthorized self-grant of access via shared lists, and metadata tampering. The vulnerability has been patched in version 2.6.4.