CVE-2026-28503 in TandoorRecipes recipes정보

요약 (영어)

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the `SyncViewSet.query_synced_folder()` action in `cookbook/views/api.py` (line 903) fetches a Sync object using `get_object_or_404(Sync, pk=pk)` without including `space=request.space` in the filter. This allows an admin user in Space A to trigger sync operations (Dropbox/Nextcloud/Local import) on Sync configurations belonging to Space B, and view the resulting sync logs. Version 2.6.0 patches the issue.

책임이 있는

GitHub_M

예약하다

2026. 02. 27.

공개

2026. 03. 26.

엔트리

VulDB provides additional information and datapoints for this CVE:

아이디	취약성	CWE	악용	대책	CVE
353747	TandoorRecipes recipes api.py query_synced_folder 권한 상승	639	정의되지 않음	공식 수정	CVE-2026-28503

설명

CPE

CWE

CVSS

익스플로잇

역사

차이

연결하다

위협 인텔리전스

API JSON

API XML

API CSV

◂ 이전개요다음 ▸

Want to know what is going to be exploited?

We predict KEV entries!