CVE-2026-40350
Received Received - Intake
Authorization Bypass in Movary Allows Privilege Escalation

Publication date: 2026-04-18

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40350
EUVD
EUVD-2026-23632
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
leepeuker movary to 0.71.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Movary, a self-hosted web app for tracking and rating watched movies. Before version 0.71.1, any authenticated user could access user-management endpoints such as `/settings/users` without proper admin-only restrictions. Due to missing admin middleware and a flawed authorization check in the controller, ordinary users could enumerate all users and create new administrator accounts. Essentially, users with a valid session could perform actions that should be limited to administrators.

Impact Analysis

This vulnerability can have severe impacts because it allows any authenticated user to escalate their privileges to administrator level. This means an attacker could gain full control over the application, including managing users and potentially accessing or modifying sensitive data. The CVSS score of 8.8 indicates high severity, with impacts on confidentiality, integrity, and availability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Movary to version 0.71.1 or later, as this version patches the issue by enforcing proper admin-only middleware and fixing the broken authorization check.

Compliance Impact

This vulnerability allows any authenticated user to enumerate all users and create a new administrator account due to improper access controls in Movary versions prior to 0.71.1.

Such unauthorized access and privilege escalation can lead to unauthorized disclosure, modification, or deletion of sensitive user data.

Consequently, this could result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart