Skip to main content

Movable Type CVE-2026-44392

| EUVDEUVD-2026-31066 MEDIUM
Missing Authorization (CWE-862)
2026-05-20 jpcert GHSA-98gq-cq48-6gcm
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
May 20, 2026 - 07:22 NVD
4.3 (MEDIUM) 5.3 (MEDIUM)
Analysis Generated
May 20, 2026 - 07:01 vuln.today

DescriptionCVE.org

Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed.

AnalysisAI

Missing authorization in Movable Type allows authenticated non-administrator users to trigger unintended update operations under certain conditions. Affecting Movable Type, Movable Type Advanced, and Movable Type Premium products by Six Apart Ltd., the flaw (CWE-862) permits a low-privileged user to bypass access controls and perform write operations that should be restricted to administrators. No public exploit or CISA KEV listing exists at time of analysis; the vendor released a fix in version 9.0.8 on 2026-05-20 per the Six Apart advisory.

Technical ContextAI

The vulnerability is classified as CWE-862 (Missing Authorization), meaning the application fails to perform an authorization check before executing a sensitive update operation. Movable Type is a content management system (CMS) developed by Six Apart Ltd. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) confirms the flaw is reachable over the network by a low-privileged authenticated user with no additional complexity or user interaction required. Affected product lines - confirmed via CPE strings - include Movable Type (cpe:2.3:a:six_apart_ltd.:movable_type), Movable Type Advanced (cpe:2.3:a:six_apart_ltd.:movable_type_advanced), and Movable Type Premium (cpe:2.3:a:six_apart_ltd.:movable_type_premium). The root cause is a server-side enforcement gap: the application does not verify that the authenticated session holds administrator-level privileges before processing the update request.

RemediationAI

The primary remediation is to upgrade to Movable Type 9.0.8 or later, released by Six Apart Ltd. on 2026-05-20 and announced at https://movabletype.org/news/2026/05/mt-908-released.html. This applies to all three affected product lines: Movable Type, Movable Type Advanced, and Movable Type Premium. If an immediate upgrade is not feasible, a practical compensating control is to audit and restrict non-administrator user accounts - removing or suspending accounts for users who do not require regular access, reducing the pool of potential attackers. Additionally, access to the Movable Type administrative interface should be restricted by IP allowlist or network perimeter controls (e.g., VPN-only access) to limit who can authenticate at all, thereby reducing the attack surface until patching is complete. Note that IP-based restrictions may disrupt legitimate remote contributors. The JVN advisory at https://jvn.jp/en/jp/JVN66473735/ should be consulted for any vendor-recommended interim mitigations.

CVE-2015-1592 HIGH POC
7.5 Feb 19

Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use

CVE-2013-0209 HIGH POC
7.5 Jan 23

lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for reque

CVE-2021-20837 CRITICAL POC
9.8 Oct 26

Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movab

CVE-2016-5742 CRITICAL
9.8 Jan 23

SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before

CVE-2022-38078 CRITICAL
9.8 Aug 24

Movable Type XMLRPC API provided by Six Apart Ltd. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex

CVE-2012-1503 MEDIUM POC
4.3 Aug 29

Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote a

CVE-2026-25776 CRITICAL
9.3 Apr 08

Code injection in Movable Type CMS allows unauthenticated remote attackers to execute arbitrary Perl code with critical

CVE-2020-5577 HIGH
8.8 May 14

Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1)

CVE-2020-5576 HIGH
8.8 May 14

Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movab

CVE-2013-2184 HIGH
7.5 Mar 27

Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute ar

CVE-2012-0320 HIGH
7.5 Mar 03

Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allows remote attackers to take control of sessions via

CVE-2014-9057 HIGH
7.5 Dec 16

SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.

Share

CVE-2026-44392 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy