CVE-2026-44392
Missing Authorization in Movable Type Allows Unintended Updates
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| six_apart | movable_type | to 9.1.1 (exc) |
| six_apart | movable_type | to 9.0.7 (exc) |
| six_apart | movable_type | to 8.8.3 (exc) |
| six_apart | movable_type | to 8.0.10 (exc) |
| six_apart | movable_type | to 2.14 (inc) |
| six_apart | movable_type | to 8.4.4 (inc) |
| six_apart | movable_type | 9.0.8 |
| six_apart | movable_type | 8.8.4 |
| six_apart | movable_type | 8.0.11 |
| six_apart | movable_type | 9.2.0 |
| six_apart | movable_type_premium | 2.15 |
| six_apart | movable_type_premium | 2.16 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44392 is a missing authorization vulnerability in Movable Type. Under certain conditions, a user without administrator privileges can sign in and unintentionally trigger update processing of the product or its plugins.
This means that users who should not have permission to perform upgrades or updates may be able to do so, potentially leading to unauthorized changes in the system.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to initiate upgrade or update processes in Movable Type, which they should not be able to perform.
Such unauthorized update processing could lead to unintended changes in the system, potentially destabilizing the environment or introducing security risks.
It may also allow attackers to bypass normal administrative controls, increasing the risk of further exploitation or system compromise.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-44392 vulnerability in Movable Type, immediate steps include updating to the fixed versions that address this issue.
- Update Movable Type to versions 9.2.0, 9.0.8, 8.8.4, or 8.0.11 as applicable.
- For Movable Type Premium, update to versions 9.2.0, 9.0.8, or 2.16.
- Use the environment variable RequireUpgradePermission to control and restrict upgrade processing permissions.
If immediate updates are not possible, consider disabling features that allow unintended update processing by non-administrator users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows users without administrator privileges to execute unintended update processing in Movable Type, which could lead to unauthorized changes in the system.
Such unauthorized actions may impact the integrity and security of data managed by Movable Type, potentially leading to non-compliance with data protection standards and regulations like GDPR and HIPAA that require strict access controls and data integrity safeguards.
However, the provided information does not explicitly describe the direct effects on compliance with these standards.