CVE-2026-40348
Published: 18 April 2026
Summary
CVE-2026-40348 is a high-severity SSRF (CWE-918) vulnerability in Leepeuker Movary. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Remote System Discovery (T1018); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied URLs in endpoints like /settings/jellyfin/server-url-verify to reject internal hosts, loopback addresses, and private ranges, directly preventing SSRF exploitation.
Enforces flow control policies restricting server-side HTTP requests from the application to authorized external destinations only, blocking access to arbitrary internal targets.
Monitors and controls outbound communications at system boundaries, enabling proxies or firewalls to filter and detect SSRF-induced requests to internal networks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF enables internal host discovery (T1018), network service discovery via port probing/fingerprinting (T1046), and access to cloud metadata endpoints (T1522).
NVD Description
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through `POST /settings/jellyfin/server-url-verify`. The endpoint accepts a user-controlled URL,…
more
appends `/system/info/public`, and sends a server-side HTTP request with Guzzle. Because there is no restriction on internal hosts, loopback addresses, or private network ranges, this can be abused for SSRF and internal network probing. Any ordinary authenticated user can use this endpoint to make the server connect to arbitrary internal targets and distinguish between different network states. This enables SSRF-based internal reconnaissance, including host discovery, port-state probing, and service fingerprinting. In certain deployments, it may also be usable to reach internal administrative services or cloud metadata endpoints that are not directly accessible from the outside. Version 0.71.1 fixes the issue.
Deeper analysisAI
CVE-2026-40348 is a server-side request forgery (SSRF) vulnerability affecting Movary, a self-hosted web application for tracking and rating watched movies. In versions prior to 0.71.1, the `POST /settings/jellyfin/server-url-verify` endpoint allows an ordinary authenticated user to supply a user-controlled URL, which the server then appends with `/system/info/public` and fetches using the Guzzle HTTP client. Due to the lack of restrictions on internal hosts, loopback addresses, or private network ranges, this enables arbitrary server-side HTTP requests to internal targets.
Any ordinary authenticated user can exploit this vulnerability remotely with low complexity and no user interaction required. Attackers can abuse it for SSRF-based internal network reconnaissance, including host discovery, port-state probing, and service fingerprinting by distinguishing network states through response behaviors. In certain deployments, it may allow access to internal administrative services or cloud metadata endpoints inaccessible from external networks. The CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) reflects high confidentiality impact in a changed scope, mapped to CWE-918.
The issue is fixed in Movary version 0.71.1, as detailed in the project's security advisory (GHSA-2m2v-v563-qqvj), release notes, associated pull request (#751), and fixing commit (d459b3513293d41254f7093aef07010a8e5dcf04). Security practitioners should upgrade to 0.71.1 or later to mitigate the vulnerability.
Details
- CWE(s)