CVE-2026-40350 - Vulnerability Details

- Movary User Management (/settings/users) has Authorization Bypass that Allows Low-Privileged Users to Enumerate All Users and Create Administrator Accounts

Description

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue.

Published: 2026-04-18

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An authenticated user with a valid web session cookie can access the "/settings/users" page and perform actions that should be reserved for administrators. Because the route definitions lack an admin‑only middleware and the controller‑level check contains an incorrect boolean, the system incorrectly allows any user to enumerate all existing users and to create new administrator accounts. This flaw effectively permits a low‑privileged user to elevate privileges without further authentication.

Affected Systems

Movary, self‑hosted web application for tracking movies, versions prior to 0.71.1 by vendor LeePeker.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating high severity. The EPSS score is not available, and the issue is not listed in CISA KEV. The flaw can be exploited from any web client that has logged in, allowing an attacker to create additional administrator accounts and gain full control of the application. Because it only requires a valid authenticated session, the attack is trivial for users who already possess credentials or can obtain a session cookie through phishing or other methods. The lack of a KEV designation does not reduce the risk, as the flaw remains exploitable until patches are applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

leepeuker

movary

affected

Version	Status	Constraints
`< 0.71.1`	affected	—

No data.

Vendor Product Confidence Versions

Leepeuker

Movary

100%

Version	Status	Scheme	Platform
`[0,0.71.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Movary to version 0.71.1 or later to apply the fix that enforces admin‑only access to "/settings/users".
Ensure that the application uses proper middleware checks so that only users with administrative privileges can reach the settings endpoints.
Audit user accounts for any newly created administrator accounts, revoke those that were added without authorization, and review logs for suspicious activity.

Generated by OpenCVE AI on April 18, 2026 at 08:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/leepeuker/movary/commit/92c7400486f5fe9f350046e04e45a8502778bf39
https://github.com/leepeuker/movary/pull/749
https://github.com/leepeuker/movary/releases/tag/0.71.1
https://github.com/leepeuker/movary/security/advisories/GHSA-7r3f-9fwv-p43w

History

Sat, 18 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Leepeuker Leepeuker movary
Vendors & Products		Leepeuker Leepeuker movary

Sat, 18 Apr 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue.
Title		Movary User Management (/settings/users) has Authorization Bypass that Allows Low-Privileged Users to Enumerate All Users and Create Administrator Accounts
Weaknesses		CWE-863
References		https://github.com/leepeuker/movary/commit/92c7400486f5fe9f350046e04e45a8502778bf39 https://github.com/leepeuker/movary/pull/749 https://github.com/leepeuker/movary/releases/tag/0.71.1 https://github.com/leepeuker/movary/security/advisories/GHSA-7r3f-9fwv-p43w
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Leepeuker Movary

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-18T00:07:33.324Z

Updated: 2026-04-18T00:07:33.324Z

Reserved: 2026-04-10T22:50:01.359Z

Link: CVE-2026-40350

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-18T01:16:19.527

Modified: 2026-04-18T01:16:19.527

Link: CVE-2026-40350

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object