Skip to main content

Movary CVE-2026-40349

| EUVD-2026-23619 HIGH
Missing Authorization (CWE-862)
2026-04-18 GitHub_M
Authentication Bypass Movary
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Patch released
Apr 27, 2026 - 14:09 nvd
Patch available
Patch available
Apr 18, 2026 - 01:01 EUVD
Analysis Updated
Apr 18, 2026 - 00:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 00:22 vuln.today
cvss_changed
Analysis Generated
Apr 18, 2026 - 00:18 vuln.today
EUVD ID Assigned
Apr 18, 2026 - 00:15 euvd
EUVD-2026-23619
Analysis Generated
Apr 18, 2026 - 00:15 vuln.today
CVE Published
Apr 18, 2026 - 00:05 nvd
HIGH 8.8

DescriptionGitHub Advisory

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending isAdmin=true to PUT /settings/users/{userId} for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive isAdmin field without any admin-only authorization check. Version 0.71.1 patches the issue.

AnalysisAI

{userId} with isAdmin=true for their own user ID, low-privilege users gain full administrative access. Movary versions prior to 0.71.1 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege credentials
Delivery
Authenticate to Movary web app
Exploit
Craft PUT request with isAdmin=true
Execution
Send to /settings/users/{own-id}
Persist
Escalate to admin role
Impact
Access sensitive user data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires valid user-level credentials for any authenticated account on the Movary instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is HIGH for Movary deployments despite moderate CVSS base score of 8.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a standard user account on a Movary instance (or compromises existing low-privilege credentials via phishing). Using browser developer tools or an HTTP client like curl, the attacker crafts a PUT request to `https://[movary-instance]/settings/users/[their-user-id]` with JSON payload containing `{"isAdmin": true}` alongside normal profile fields. …
Remediation Upgrade immediately to Movary version 0.71.1 or later, released at https://github.com/leepeuker/movary/releases/tag/0.71.1. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Movary instances and confirm versions currently deployed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40349 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy