CVE-2026-40350

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue.

Vulnerability Details

Published Date

April 18, 2026

Last Modified

April 18, 2026

CWE ID

CWE-863

Source

NVD

Vendor

leepeuker

Product

movary

External References

https://github.com/leepeuker/movary/commit/92c7400486f5fe9f350046e04e45a8502778bf39
https://github.com/leepeuker/movary/pull/749
https://github.com/leepeuker/movary/releases/tag/0.71.1
https://github.com/leepeuker/movary/security/advisories/GHSA-7r3f-9fwv-p43w

CVE-2026-40350

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment