CVE-2026-44392
Deferred Deferred - Pending Action
Missing Authorization in Movable Type Allows Unintended Updates

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: JPCERT/CC

Description
Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-44392
EUVD
EUVD-2026-31066
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
six_apart movable_type to 9.1.1 (exc)
six_apart movable_type to 9.0.7 (exc)
six_apart movable_type to 8.8.3 (exc)
six_apart movable_type to 8.0.10 (exc)
six_apart movable_type to 2.14 (inc)
six_apart movable_type to 8.4.4 (inc)
six_apart movable_type 9.0.8
six_apart movable_type 8.8.4
six_apart movable_type 8.0.11
six_apart movable_type 9.2.0
six_apart movable_type_premium 2.15
six_apart movable_type_premium 2.16
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44392 is a missing authorization vulnerability in Movable Type. Under certain conditions, a user without administrator privileges can sign in and unintentionally trigger update processing of the product or its plugins.

This means that users who should not have permission to perform upgrades or updates may be able to do so, potentially leading to unauthorized changes in the system.

Impact Analysis

This vulnerability can allow unauthorized users to initiate upgrade or update processes in Movable Type, which they should not be able to perform.

Such unauthorized update processing could lead to unintended changes in the system, potentially destabilizing the environment or introducing security risks.

It may also allow attackers to bypass normal administrative controls, increasing the risk of further exploitation or system compromise.

Mitigation Strategies

To mitigate the CVE-2026-44392 vulnerability in Movable Type, immediate steps include updating to the fixed versions that address this issue.

  • Update Movable Type to versions 9.2.0, 9.0.8, 8.8.4, or 8.0.11 as applicable.
  • For Movable Type Premium, update to versions 9.2.0, 9.0.8, or 2.16.
  • Use the environment variable RequireUpgradePermission to control and restrict upgrade processing permissions.

If immediate updates are not possible, consider disabling features that allow unintended update processing by non-administrator users.

Compliance Impact

The vulnerability allows users without administrator privileges to execute unintended update processing in Movable Type, which could lead to unauthorized changes in the system.

Such unauthorized actions may impact the integrity and security of data managed by Movable Type, potentially leading to non-compliance with data protection standards and regulations like GDPR and HIPAA that require strict access controls and data integrity safeguards.

However, the provided information does not explicitly describe the direct effects on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44392. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart