CVE-2026-28503: CWE-639: Authorization Bypass Through User-Controlled Key in TandoorRecipes recipes
CVE-2026-28503 is an authorization bypass vulnerability in Tandoor Recipes versions prior to 2. 6. 0. The flaw exists in the SyncViewSet. query_synced_folder() function, which fetches Sync objects without properly restricting access by space. This allows an admin user in one space to trigger sync operations and view sync logs belonging to another space. The issue is fixed in version 2. 6. 0.
AI Analysis
Technical Summary
Tandoor Recipes before version 2.6.0 contains an authorization bypass vulnerability (CWE-639) in the SyncViewSet.query_synced_folder() method. The method uses get_object_or_404(Sync, pk=pk) without filtering by the current space, enabling an admin user in one space to access and manipulate Sync configurations of other spaces. This can lead to unauthorized triggering of sync operations (Dropbox, Nextcloud, Local import) and viewing of sync logs across spaces. The vulnerability has a CVSS 4.0 score of 5.5 (medium severity) and was patched in version 2.6.0.
Potential Impact
An admin user in one space can bypass authorization controls to access and trigger sync operations on Sync configurations belonging to other spaces, potentially exposing sync logs and data related to those spaces. This cross-space access violates intended access controls and could lead to information disclosure within the multi-tenant environment of the application.
Mitigation Recommendations
Upgrade Tandoor Recipes to version 2.6.0 or later, where this authorization bypass vulnerability has been fixed. No other mitigations are specified or required once the official patch is applied.
CVE-2026-28503: CWE-639: Authorization Bypass Through User-Controlled Key in TandoorRecipes recipes
Description
CVE-2026-28503 is an authorization bypass vulnerability in Tandoor Recipes versions prior to 2. 6. 0. The flaw exists in the SyncViewSet. query_synced_folder() function, which fetches Sync objects without properly restricting access by space. This allows an admin user in one space to trigger sync operations and view sync logs belonging to another space. The issue is fixed in version 2. 6. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Tandoor Recipes before version 2.6.0 contains an authorization bypass vulnerability (CWE-639) in the SyncViewSet.query_synced_folder() method. The method uses get_object_or_404(Sync, pk=pk) without filtering by the current space, enabling an admin user in one space to access and manipulate Sync configurations of other spaces. This can lead to unauthorized triggering of sync operations (Dropbox, Nextcloud, Local import) and viewing of sync logs across spaces. The vulnerability has a CVSS 4.0 score of 5.5 (medium severity) and was patched in version 2.6.0.
Potential Impact
An admin user in one space can bypass authorization controls to access and trigger sync operations on Sync configurations belonging to other spaces, potentially exposing sync logs and data related to those spaces. This cross-space access violates intended access controls and could lead to information disclosure within the multi-tenant environment of the application.
Mitigation Recommendations
Upgrade Tandoor Recipes to version 2.6.0 or later, where this authorization bypass vulnerability has been fixed. No other mitigations are specified or required once the official patch is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-27T20:57:47.709Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c589313c064ed76fb167b7
Added to database: 3/26/2026, 7:29:53 PM
Last enriched: 4/3/2026, 1:41:34 PM
Last updated: 5/11/2026, 5:31:25 AM
Views: 56
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.