Primary

Context

Tandoor Recipes Privilege Escalation Vulnerability

Vulnerability

Patched

A privilege escalation vulnerability exists in Tandoor Recipes version 2.0.0-alpha-1, due to an API rework that exposed boolean values in the User Profile API Endpoint. These values indicate whether a user is staff or administrative, allowing any user to elevate their privileges to the highest level. The vulnerability has been addressed in version 2.0.0-alpha-2.

Impact

Exploitation of this vulnerability allows users to gain administrative privileges, including staff and superuser rights.

Reproduction

To reproduce this vulnerability, a user can send an API request to the User Profile Endpoint, including the is_staff and is_superuser parameters. By setting these parameters to true, the user can escalate their privileges to that of an admin.

Remediation

Users can upgrade to Tandoor Recipes version 2.0.0-alpha-2 to address this vulnerability.

Added: Sep 19, 2025, 8:21 PM

Updated: Sep 19, 2025, 9:17 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

5.0

exploitability

6.6

remediation

7.7

relevance

0.6

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

5.0

exploitability

6.6

remediation

7.7

relevance

0.6

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tandoor Recipes Privilege Escalation Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Tandoor Recipes

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating