Cyber Resilience

CVE-2026-40349

HighPublic PoC

Published: 18 April 2026

Published
18 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0053 40.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40349 is a high-severity Missing Authorization (CWE-862) vulnerability in Leepeuker Movary. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 40.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-40349 is a missing authorization vulnerability (CWE-862) in Movary, a self-hosted web application for tracking and rating movies. In versions prior to 0.71.1, the `PUT /settings/users/{userId}` endpoint, intended for users to edit their own profiles, allows updating the sensitive `isAdmin` field without any admin-only authorization checks. An ordinary authenticated user can thus send `isAdmin=true` for their own user ID to escalate privileges.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and low privileges required. Any authenticated user with network access can exploit it remotely without user interaction, achieving full administrative control over the Movary instance, which could enable data manipulation, user management, or further compromise of the self-hosted environment.

Movary version 0.71.1 patches the issue by adding the necessary authorization checks. Security practitioners should upgrade to this version immediately, as detailed in the GitHub security advisory (GHSA-mcfq-8rx7-w25v), the patching commit (12c8a090051b1a1c07a3aa48922f3bc9ffe44c8b), pull request #750, and the release notes for 0.71.1.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user…

more

ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The missing authorization check on the PUT /settings/users/{userId} endpoint directly allows an authenticated low-privileged user to modify the isAdmin field and escalate to administrative privileges, mapping to Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40350Same product: Leepeuker Movary
CVE-2026-40348Same product: Leepeuker Movary
CVE-2026-23840Same product: Leepeuker Movary
CVE-2026-23841Same product: Leepeuker Movary
CVE-2026-23839Same product: Leepeuker Movary
CVE-2026-32658Shared CWE-862
CVE-2026-6506Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2025-21396Shared CWE-862
CVE-2021-47701Shared CWE-862

Affected Assets

leepeuker
movary
≤ 0.71.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations on endpoints like PUT /settings/users/{userId} to prevent authenticated users from updating sensitive isAdmin fields without admin checks.

prevent

Employs least privilege to restrict ordinary users from escalating to administrator privileges via self-profile modifications.

prevent

Manages user accounts to prohibit self-escalation of privileges such as modifying isAdmin status.

References