CVE-2026-16224
Received Received - Intake

Improper Authorization in MoviePilot Application API

Vulnerability report for CVE-2026-16224, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-19

Last updated on: 2026-07-19

Assigner: VulDB

Description

A vulnerability was identified in jxxghp MoviePilot up to 2.13.5. The affected element is an unknown function of the file /jxxghp/MoviePilot of the component Application API. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The identifier of the patch is dc2b6910a423b3bfadeffaa303e1ba75cfb33900. Applying a patch is the recommended action to fix this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-19
Last Modified
2026-07-19
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
jxxghp moviepilot to 2.13.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-16224 is an improper authorization vulnerability in jxxghp MoviePilot up to version 2.13.5. It allows remote attackers to access sensitive system settings and secrets through unspecified API manipulation. The flaw enables authenticated non-admin users to read all system configurations and secrets.

Detection Guidance

To detect this vulnerability, check if unauthenticated or non-admin users can access sensitive system endpoints like /statistic, /storage, /processes, /downloader, /schedule, /transfer, /cpu, /memory, or /network. Review API logs for unauthorized access attempts to these paths.

Impact Analysis

This vulnerability allows unauthorized users to access sensitive system information, including secrets and settings. Attackers could exploit it to extract credentials, API keys, or other confidential data, potentially leading to further system compromise or data breaches. The impact is higher in Docker environments where the application is exposed.

Compliance Impact

This vulnerability likely violates compliance requirements for GDPR and HIPAA due to unauthorized access to sensitive data. GDPR mandates strict access controls for personal data, while HIPAA requires protection of health information. The exposure of system secrets and settings could result in non-compliance, legal penalties, and reputational damage.

Mitigation Strategies

Apply the patch from commit dc2b6910a423b3bfadeffaa303e1ba75cfb33900 to restrict access to sensitive endpoints. Ensure only superusers or properly authenticated users can access system settings and secrets. Update authentication requirements for API endpoints as described in the patch.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16224. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart