CVE-2026-40350

EUVD-2026-23632

18.04.2026, 01:16

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Affected Products (NVD)

Vendor	Product	Version
leepeuker	movary	𝑥 < 0.71.1

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/leepeuker/movary/security/advisories/GHSA-7r3f-9fwv-p43w

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://github.com/leepeuker/movary/commit/92c7400486f5fe9f350046e04e45a8502778bf39

https://github.com/leepeuker/movary/pull/749

https://github.com/leepeuker/movary/releases/tag/0.71.1

https://github.com/leepeuker/movary/security/advisories/GHSA-7r3f-9fwv-p43w