CVE-2026-40349
Published: 18 April 2026
Summary
CVE-2026-40349 is a high-severity Missing Authorization (CWE-862) vulnerability in Leepeuker Movary. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on endpoints like PUT /settings/users/{userId} to prevent authenticated users from updating sensitive isAdmin fields without admin checks.
Employs least privilege to restrict ordinary users from escalating to administrator privileges via self-profile modifications.
Manages user accounts to prohibit self-escalation of privileges such as modifying isAdmin status.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The missing authorization check on the PUT /settings/users/{userId} endpoint directly allows an authenticated low-privileged user to modify the isAdmin field and escalate to administrative privileges, mapping to Exploitation for Privilege Escalation.
NVD Description
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user…
more
ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue.
Deeper analysisAI
CVE-2026-40349 is a missing authorization vulnerability (CWE-862) in Movary, a self-hosted web application for tracking and rating movies. In versions prior to 0.71.1, the `PUT /settings/users/{userId}` endpoint, intended for users to edit their own profiles, allows updating the sensitive `isAdmin` field without any admin-only authorization checks. An ordinary authenticated user can thus send `isAdmin=true` for their own user ID to escalate privileges.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and low privileges required. Any authenticated user with network access can exploit it remotely without user interaction, achieving full administrative control over the Movary instance, which could enable data manipulation, user management, or further compromise of the self-hosted environment.
Movary version 0.71.1 patches the issue by adding the necessary authorization checks. Security practitioners should upgrade to this version immediately, as detailed in the GitHub security advisory (GHSA-mcfq-8rx7-w25v), the patching commit (12c8a090051b1a1c07a3aa48922f3bc9ffe44c8b), pull request #750, and the release notes for 0.71.1.
Details
- CWE(s)