CVE-2026-40350
Published: 18 April 2026
Summary
CVE-2026-40350 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Leepeuker Movary. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to user-management endpoints, directly preventing ordinary users from enumerating users and creating admin accounts due to missing middleware and broken checks.
Employs least privilege to restrict non-administrative users from performing privileged actions like admin account creation, mitigating the authorization bypass.
Authorizes access to specific resources such as /settings/users endpoints exclusively by administrator roles, countering the failure to restrict functionality to intended users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass enables exploitation for privilege escalation (T1068) via user enumeration (T1087.001) and creation of new admin accounts (T1136.001) in the web app.
NVD Description
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new…
more
administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue.
Deeper analysisAI
CVE-2026-40350 is an authorization bypass vulnerability (CWE-863: Incorrect Authorization) affecting Movary, a self-hosted web application for tracking and rating movies. In versions prior to 0.71.1, the user-management endpoints at `/settings/users` lack admin-only middleware enforcement in their route definitions, and the controller-level authorization check relies on a broken boolean condition. This allows any ordinary authenticated user with a valid web session cookie to access functionality intended exclusively for administrators, enabling user enumeration and the creation of new administrator accounts.
The vulnerability can be exploited remotely (AV:N) by any low-privileged authenticated user (PR:L) with low attack complexity (AC:L) and no user interaction required (UI:N), earning a CVSS v3.1 base score of 8.8 (High). Attackers can enumerate all users in the system, providing high confidentiality impact (C:H), and create unauthorized administrator accounts, leading to high integrity impact (I:H). While availability impact is rated high (A:H), it stems from potential disruption via administrative privilege escalation in the web application context.
Mitigation is available in Movary version 0.71.1, which patches the issue by correcting the authorization checks. Security practitioners should upgrade to this version immediately. Relevant advisories and fixes are detailed in the GitHub security advisory (GHSA-7r3f-9fwv-p43w), the patching commit (92c7400486f5fe9f350046e04e45a8502778bf39), pull request #749, and the release notes for v0.71.1.
Details
- CWE(s)