Movary SSRF: Authenticated Users Can Probe Internal Networks
The National Vulnerability Database has detailed CVE-2026-40348, a high-severity Server-Side Request Forgery (SSRF) vulnerability in Movary, a self-hosted movie tracking web application. Prior to version 0.71.1, an authenticated user could exploit the /settings/jellyfin/server-url-verify endpoint to trigger server-side HTTP requests to arbitrary internal targets. The endpoint, designed to verify a Jellyfin server URL, appends /system/info/public to a user-controlled URL and sends a request via Guzzle.
Critically, the National Vulnerability Database highlights that Movary lacked restrictions on internal hosts, loopback addresses, or private network ranges. This oversight allows an ordinary authenticated user to perform internal network reconnaissance, including host discovery, port-state probing, and service fingerprinting. For deployments with internal administrative services or cloud metadata endpoints, this vulnerability presents a direct pathway for attackers to reach otherwise inaccessible critical infrastructure.
This isn’t just about finding open ports; it’s about an attacker gaining a foothold to map your internal network topology and identify high-value targets. The CVSS score of 7.7 (HIGH) reflects the significant impact of unauthenticated access to internal network details. Defenders need to recognize that even ‘ordinary’ authenticated users can be compromised, and this vulnerability turns them into internal reconnaissance agents.
What This Means For You
- If your organization uses Movary, you need to immediately patch to version 0.71.1 or later. This SSRF isn't theoretical; it gives any authenticated attacker a direct conduit to map your internal network, enumerate services, and potentially access sensitive cloud metadata endpoints. This is a critical reconnaissance vector that attackers will absolutely leverage to plan their next move. Don't underestimate the power of internal network visibility.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40348 - Movary SSRF to Internal Network Probe
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40348 | SSRF | Movary web app |
| CVE-2026-40348 | SSRF | Movary versions prior to 0.71.1 |
| CVE-2026-40348 | SSRF | POST /settings/jellyfin/server-url-verify endpoint |
| CVE-2026-40348 | Information Disclosure | Internal network probing via Movary |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 18, 2026 at 03:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-40490 — Open Redirect
CVE-2026-40490 — The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)),...
Postiz AI Tool Vulnerability Allows Account Takeover via XSS
CVE-2026-40487 — Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload...
Emissary Workflow Engine Vulnerable to OS Command Injection
CVE-2026-35582 — Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates...