Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed.
AnalysisAI
Missing authorization in Movable Type allows authenticated non-administrator users to trigger unintended update operations under certain conditions. Affecting Movable Type, Movable Type Advanced, and Movable Type Premium products by Six Apart Ltd., the flaw (CWE-862) permits a low-privileged user to bypass access controls and perform write operations that should be restricted to administrators. No public exploit or CISA KEV listing exists at time of analysis; the vendor released a fix in version 9.0.8 on 2026-05-20 per the Six Apart advisory.
Technical ContextAI
The vulnerability is classified as CWE-862 (Missing Authorization), meaning the application fails to perform an authorization check before executing a sensitive update operation. Movable Type is a content management system (CMS) developed by Six Apart Ltd. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) confirms the flaw is reachable over the network by a low-privileged authenticated user with no additional complexity or user interaction required. Affected product lines - confirmed via CPE strings - include Movable Type (cpe:2.3:a:six_apart_ltd.:movable_type), Movable Type Advanced (cpe:2.3:a:six_apart_ltd.:movable_type_advanced), and Movable Type Premium (cpe:2.3:a:six_apart_ltd.:movable_type_premium). The root cause is a server-side enforcement gap: the application does not verify that the authenticated session holds administrator-level privileges before processing the update request.
RemediationAI
The primary remediation is to upgrade to Movable Type 9.0.8 or later, released by Six Apart Ltd. on 2026-05-20 and announced at https://movabletype.org/news/2026/05/mt-908-released.html. This applies to all three affected product lines: Movable Type, Movable Type Advanced, and Movable Type Premium. If an immediate upgrade is not feasible, a practical compensating control is to audit and restrict non-administrator user accounts - removing or suspending accounts for users who do not require regular access, reducing the pool of potential attackers. Additionally, access to the Movable Type administrative interface should be restricted by IP allowlist or network perimeter controls (e.g., VPN-only access) to limit who can authenticate at all, thereby reducing the attack surface until patching is complete. Note that IP-based restrictions may disrupt legitimate remote contributors. The JVN advisory at https://jvn.jp/en/jp/JVN66473735/ should be consulted for any vendor-recommended interim mitigations.
More in Movable Type
View allMovable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use
lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for reque
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movab
SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before
Movable Type XMLRPC API provided by Six Apart Ltd. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote a
Code injection in Movable Type CMS allows unauthenticated remote attackers to execute arbitrary Perl code with critical
Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1)
Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movab
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute ar
Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allows remote attackers to take control of sessions via
SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31066
GHSA-98gq-cq48-6gcm