The vulnerability identified as CVE-2026-28503 affects TandoorRecipes, an application designed for managing recipes, meal planning, and shopping lists. In versions prior to 2.6.0, the SyncViewSet.query_synced_folder() function in the API views improperly fetches Sync objects by primary key without restricting the query to the current space context. Specifically, the call get_object_or_404(Sync, pk=pk) lacks the filter space=request.space, which is necessary to enforce authorization boundaries between different user spaces. This omission allows an administrator user within one space (Space A) to access Sync configurations and trigger synchronization operations (such as Dropbox, Nextcloud, or local imports) belonging to another space (Space B). Consequently, the attacker can view sync logs and potentially interfere with sync processes of other spaces. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond admin in one space, no user interaction, and high impact on integrity and availability within the affected scope. The flaw was patched in version 2.6.0 by adding appropriate space filtering to the query, restoring proper authorization checks. No known exploits are reported in the wild as of now.

This vulnerability can lead to unauthorized access and manipulation of synchronization configurations and logs across isolated user spaces within the TandoorRecipes application. For organizations, this means that an admin in one space can view sensitive sync logs and potentially disrupt or manipulate sync operations in other spaces, undermining data integrity and confidentiality. The impact is particularly significant in multi-tenant environments or organizations using TandoorRecipes to segregate data by teams or departments. Unauthorized sync operations could lead to data leakage between spaces, exposure of user activity logs, and potential disruption of automated data imports or backups. While the vulnerability requires admin privileges in one space, the breach of isolation boundaries can erode trust in the application's security model and complicate compliance with data protection policies. The medium CVSS score reflects moderate risk, but the impact on integrity and availability within affected spaces is high.

The primary mitigation is to upgrade TandoorRecipes to version 2.6.0 or later, where the authorization bypass has been fixed by including space-based filtering in the Sync object queries. Until upgrading, organizations should restrict admin privileges carefully, ensuring that only trusted users have admin access to any space. Implement monitoring and alerting on sync operations and access logs to detect unusual cross-space activity. If possible, isolate critical spaces on separate instances or environments to reduce risk. Review and audit user permissions regularly to minimize the number of admin users. Additionally, consider implementing network segmentation or access controls around the application to limit exposure. Finally, coordinate with the vendor for any backported patches or workarounds if immediate upgrading is not feasible.