Primary

Context

Tandoor Recipes Cross-Space IDOR Vulnerability in Sync Operations

Vulnerability

Patched

A cross-space insecure direct object reference (IDOR) vulnerability has been identified in Tandoor Recipes versions prior to 2.6.0. The issue arises in the `SyncViewSet.query_synced_folder()` action, where a Sync object is retrieved without proper space filtering. This flaw allows an admin user in one space to access and manipulate sync operations and logs of another space.

Impact

Exploitation of this vulnerability allows an authenticated admin user to trigger sync operations on any space's Sync configuration, access sync logs from other spaces, and potentially import recipes into another space if the sync mechanism has write access.

Remediation

Users can upgrade to Tandoor Recipes version 2.6.0 or later to address this vulnerability.

Added: Mar 26, 2026, 7:38 PM

Updated: Mar 26, 2026, 7:38 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

1.3

exploitability

6.1

remediation

7.7

relevance

4.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

1.3

exploitability

6.1

remediation

7.7

relevance

4.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tandoor Recipes Cross-Space IDOR Vulnerability in Sync Operations

Vulnerability

Impact

Remediation

Affected Products

Tandoor Recipes

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating