Description
Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed.
Published: 2026-05-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization flaw in Movable Type allows a non‑administrator who logs in to trigger unintended update processing. When the conditions are met, the product can modify content or configuration without proper approval, violating data integrity and potentially compromising sensitive information. The flaw maps to CWE‑862, indicating an authorization bypass vulnerability.

Affected Systems

Six Apart Ltd. offers this flaw across its Movable Type family, including the standard, Advanced, Premium, and Premium (Advanced Edition) variants. Versions for which the vulnerability applies are not supplied in the CVE entry.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate risk. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers likely exploit the issue by entering a normal user account and performing actions that trigger the unintended update path; no special conditions or elevated privileges are required beyond a valid login.

Generated by OpenCVE AI on May 20, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Movable Type 9.0.8 or later to obtain the vendor’s fix
  • If upgrading is delayed, temporarily disable or restrict the update processing feature so that only administrators can trigger it
  • Monitor system logs for unexpected content changes and enforce strict audit trails

Generated by OpenCVE AI on May 20, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Six Apart
Six Apart movable Type
Six Apart movable Type Advanced
Six Apart movable Type Premium
Six Apart movable Type Premium Advanced Edition
Vendors & Products Six Apart
Six Apart movable Type
Six Apart movable Type Advanced
Six Apart movable Type Premium
Six Apart movable Type Premium Advanced Edition

Wed, 20 May 2026 07:45:00 +0000

Type Values Removed Values Added
Title Missing Authorization Allows Unintended Updates in Movable Type

Wed, 20 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed.
Weaknesses CWE-862
References
Metrics cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Six Apart Movable Type Movable Type Advanced Movable Type Premium Movable Type Premium Advanced Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-05-20T13:04:04.783Z

Reserved: 2026-05-18T05:54:22.563Z

Link: CVE-2026-44392

cve-icon Vulnrichment

Updated: 2026-05-20T13:03:58.713Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T07:16:15.317

Modified: 2026-05-20T14:25:17.977

Link: CVE-2026-44392

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:37:56Z

Weaknesses