top of page
perceptive_background_267k.jpg

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-managemen…

Published:

17 April 2026 at 22:00:00

Alert date:

18 April 2026 at 02:01:33

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Identity & Access

CVE-2026-40350 affects Movary, a self-hosted web application for tracking and rating movies. Prior to version 0.71.1, an authenticated user could exploit broken authorization controls to access admin-only endpoints at /settings/users. This vulnerability allows ordinary users to enumerate all users and create new administrator accounts due to missing admin middleware enforcement and faulty boolean conditions in controller authorization checks. Any user with a valid session cookie could escalate privileges to administrator level. The issue has been patched in version 0.71.1.

Technical details

Mitigation steps:

Affected products:

Movary

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-40350
https://github.com/leepeuker/movary/commit/92c7400486f5fe9f350046e04e45a8502778bf39
https://github.com/leepeuker/movary/pull/749
https://github.com/leepeuker/movary/releases/tag/0.71.1
https://github.com/leepeuker/movary/security/advisories/GHSA-7r3f-9fwv-p43w

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page