{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40350", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T22:50:01.359Z", "datePublished": "2026-04-18T00:07:33.324Z", "dateUpdated": "2026-04-20T16:15:39.915Z"}, "containers": {"cna": {"title": "Movary User Management (/settings/users) has Authorization Bypass that Allows Low-Privileged Users to Enumerate All Users and Create Administrator Accounts", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/leepeuker/movary/security/advisories/GHSA-7r3f-9fwv-p43w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/leepeuker/movary/security/advisories/GHSA-7r3f-9fwv-p43w"}, {"name": "https://github.com/leepeuker/movary/pull/749", "tags": ["x_refsource_MISC"], "url": "https://github.com/leepeuker/movary/pull/749"}, {"name": "https://github.com/leepeuker/movary/commit/92c7400486f5fe9f350046e04e45a8502778bf39", "tags": ["x_refsource_MISC"], "url": "https://github.com/leepeuker/movary/commit/92c7400486f5fe9f350046e04e45a8502778bf39"}, {"name": "https://github.com/leepeuker/movary/releases/tag/0.71.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/leepeuker/movary/releases/tag/0.71.1"}], "affected": [{"vendor": "leepeuker", "product": "movary", "versions": [{"version": "< 0.71.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T00:07:33.324Z"}, "descriptions": [{"lang": "en", "value": "Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue."}], "source": {"advisory": "GHSA-7r3f-9fwv-p43w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:10:39.326362Z", "id": "CVE-2026-40350", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:15:39.915Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40350", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T16:10:39.326362Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:10:40.549Z"}}], "cna": {"title": "Movary User Management (/settings/users) has Authorization Bypass that Allows Low-Privileged Users to Enumerate All Users and Create Administrator Accounts", "source": {"advisory": "GHSA-7r3f-9fwv-p43w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "leepeuker", "product": "movary", "versions": [{"status": "affected", "version": "< 0.71.1"}]}], "references": [{"url": "https://github.com/leepeuker/movary/security/advisories/GHSA-7r3f-9fwv-p43w", "name": "https://github.com/leepeuker/movary/security/advisories/GHSA-7r3f-9fwv-p43w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/leepeuker/movary/pull/749", "name": "https://github.com/leepeuker/movary/pull/749", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/leepeuker/movary/commit/92c7400486f5fe9f350046e04e45a8502778bf39", "name": "https://github.com/leepeuker/movary/commit/92c7400486f5fe9f350046e04e45a8502778bf39", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/leepeuker/movary/releases/tag/0.71.1", "name": "https://github.com/leepeuker/movary/releases/tag/0.71.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T00:07:33.324Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40350", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:15:39.915Z", "dateReserved": "2026-04-10T22:50:01.359Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-18T00:07:33.324Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:leepeuker:movary:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B267141-8A10-4807-B49C-F74FEB767E1F", "versionEndExcluding": "0.71.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue."}], "id": "CVE-2026-40350", "lastModified": "2026-04-27T14:09:42.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T01:16:19.527", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/leepeuker/movary/commit/92c7400486f5fe9f350046e04e45a8502778bf39"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/leepeuker/movary/pull/749"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/leepeuker/movary/releases/tag/0.71.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/leepeuker/movary/security/advisories/GHSA-7r3f-9fwv-p43w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.71.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "movary", "source": "cna", "vendor": "leepeuker"}, "product": "movary", "vendor": "leepeuker"}], "analysis": {"en": {"generated_at": "2026-04-18T08:43:04.104922+00:00", "value": {"mitigation_remediation": ["Update Movary to version 0.71.1 or later to apply the fix that enforces admin\u2011only access to \"/settings/users\".", "Ensure that the application uses proper middleware checks so that only users with administrative privileges can reach the settings endpoints.", "Audit user accounts for any newly created administrator accounts, revoke those that were added without authorization, and review logs for suspicious activity."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation via Unauthorized Administrator Creation"}, "threat_synthesis": {"affected_systems": "Movary, self\u2011hosted web application for tracking movies, versions prior to 0.71.1 by vendor LeePeker.", "description_and_impact": "An authenticated user with a valid web session cookie can access the \"/settings/users\" page and perform actions that should be reserved for administrators. Because the route definitions lack an admin\u2011only middleware and the controller\u2011level check contains an incorrect boolean, the system incorrectly allows any user to enumerate all existing users and to create new administrator accounts. This flaw effectively permits a low\u2011privileged user to elevate privileges without further authentication.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.8, indicating high severity. The EPSS score is not available, and the issue is not listed in CISA KEV. The flaw can be exploited from any web client that has logged in, allowing an attacker to create additional administrator accounts and gain full control of the application. Because it only requires a valid authenticated session, the attack is trivial for users who already possess credentials or can obtain a session cookie through phishing or other methods. The lack of a KEV designation does not reduce the risk, as the flaw remains exploitable until patches are applied."}}}}, "created": "2026-04-18T02:30:15.751407+00:00", "updated": "2026-04-18T08:45:41.385967+00:00", "vendors": ["leepeuker", "leepeuker$PRODUCT$movary"]}