What is the CVSS score of CVE-2026-40350?

CVE-2026-40350 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Movary are affected by CVE-2026-40350?

Movary versions before 0.71.1 contain a privilege escalation vulnerability allowing authenticated users to create administrator accounts and compromise user management functions, granting complete…. A patch is available.

How to fix or mitigate CVE-2026-40350?

Within 24 hours: Identify all Movary deployments and document current versions in use. Within 7 days: Upgrade all instances to version 0.71.1 or later; restrict user creation and settings management access to verified administrators during the upgrade window. Within 30 days: Audit all administrator accounts created since deployment and all user-management function access logs to detect unauthorized privilege escalation activity.

Movary CVE-2026-40350

EUVD-2026-23632 HIGH

Incorrect Authorization (CWE-863)

2026-04-18 GitHub_M

Authentication Bypass Movary

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 27, 2026 - 14:09 nvd

Patch available

Apr 18, 2026 - 02:01 EUVD

Analysis Updated

Apr 18, 2026 - 01:30 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 18, 2026 - 01:22 vuln.today

cvss_changed

Analysis Generated

Apr 18, 2026 - 01:09 vuln.today

EUVD ID Assigned

Apr 18, 2026 - 01:00 euvd

EUVD-2026-23632

Analysis Generated

Apr 18, 2026 - 01:00 vuln.today

CVE Published

Apr 18, 2026 - 00:07 nvd

HIGH 8.8

DescriptionGitHub Advisory

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints /settings/users and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue.

AnalysisAI

Privilege escalation in Movary (self-hosted movie tracking app) versions before 0.71.1 allows any authenticated user to create administrator accounts and access user-management functions. The vulnerability stems from missing middleware enforcement and a broken boolean condition in authorization checks for /settings/users endpoints. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain low-privilege user credentials

Delivery

Authenticate and establish web session

Exploit

Send direct HTTP POST to /settings/users

Install

Bypass broken authorization check

Enumerate existing users

Execute

Create new administrator account

Impact

Access admin functions for full system control

Recon

Obtain low-privilege user credentials

Delivery

Authenticate and establish web session

Exploit

Send direct HTTP POST to /settings/users

Install

Bypass broken authorization check

Enumerate existing users

Execute

Create new administrator account

Impact

Access admin functions for full system control

Vulnerability AssessmentAI

Exploitation	Attacker must possess valid credentials for any authenticated user account in the Movary instance - no administrator privileges required, only low-privilege user access (CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is HIGH despite no confirmed active exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker obtains credentials for a standard user account in a Movary instance through credential reuse or social engineering. They authenticate to the web application and obtain a valid session cookie. …
Remediation	Upgrade immediately to Movary version 0.71.1 or later, available at https://github.com/leepeuker/movary/releases/tag/0.71.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Movary deployments and document current versions in use. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-40350 vulnerability details – vuln.today

Back

Movary CVE-2026-40350

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code