Auth bypass in Tandoorrecipes Recipes

CVE-2026-28503

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the `SyncViewSet.query_synced_folder()` action in `cookbook/views/api.py` (line 903) fetches a Sync object usi…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.001 (16.9th percentile) — read the EPSS interpretation.

Affected products

Tandoorrecipes Recipes — versions < 2.6.0

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-6qpw-gwcq-68fv (x_refsource_CONFIRM)
https://github.com/TandoorRecipes/recipes/releases/tag/2.6.0 (x_refsource_MISC)