Description
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue.
Published: 2026-04-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Administrator
Action: Patch
AI Analysis

Impact

An authenticated user can gain administrative privileges by sending a PUT request to /settings/users/{userId} with isAdmin=true. The endpoint, intended for self‑profile edits, lacks an admin‑only authorization check, enabling a normal user to flip the isAdmin flag and elevate themselves. This flaw is a classic privilege‑escalation flaw (CWE‑862) that enables the user to obtain administrative rights; the CVE description does not detail the exact extent of actions available to an administrator.

Affected Systems

The vulnerability affects the Movary self‑hosted movie‑tracking application produced by leepeuker. All installations running version 0.70.x or earlier are impacted; version 0.71.1 and later contain the fix.

Risk and Exploitability

The CVSS score of 8.8 classifies the issue as high severity. Exploitation requires only a valid user session—no additional privileges or external conditions are needed. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of restrictions on the endpoint means that a legitimate user can easily execute the upgrade path. The threat remains significant until the application is updated.

Generated by OpenCVE AI on April 18, 2026 at 17:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Movary to version 0.71.1 or later to apply the official patch
  • Disallow the isAdmin field from being altered via the public API by implementing an admin‑only authorization check or removing the field from the endpoint’s payload
  • If an upgrade is temporarily impossible, isolate the /settings/users/{userId} endpoint behind strict access controls and monitor for suspicious requests
  • Review all user accounts to ensure no unintended administrative privileges exist

Generated by OpenCVE AI on April 18, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Leepeuker
Leepeuker movary
Vendors & Products Leepeuker
Leepeuker movary

Sat, 18 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue.
Title Authenticated Movary User Can Self-Escalate to Administrator via PUT /settings/users/{userId} by Setting isAdmin=true
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Leepeuker Movary
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-18T00:05:46.360Z

Reserved: 2026-04-10T22:50:01.359Z

Link: CVE-2026-40349

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T00:16:38.817

Modified: 2026-04-18T00:16:38.817

Link: CVE-2026-40349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:15:05Z

Weaknesses