Movary Admin Escalation: A Simple Patch, A Critical Flaw

/HIGH
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-862
Movary Admin Escalation: A Simple Patch, A Critical Flaw

The National Vulnerability Database has detailed CVE-2026-40349, a high-severity vulnerability affecting Movary, a self-hosted movie tracking web application. Prior to version 0.71.1, an authenticated user could escalate their privileges to administrator by manipulating a PUT request to their own user settings. Specifically, sending isAdmin=true to the /settings/users/{userId} endpoint for their own user ID would bypass authorization checks, granting administrative access.

This flaw, rated 8.8 CVSS (HIGH) and categorized as CWE-862 (Missing Authorization), highlights a common developer oversight: trusting client-side input for sensitive operations. The endpoint, intended for profile edits, failed to validate if the isAdmin field modification was authorized for a non-admin user. Version 0.71.1 addresses this critical issue.

For defenders, this is a textbook example of why granular access control and server-side validation are non-negotiable. An attacker’s calculus here is simple: find an authenticated endpoint that updates user attributes and see which sensitive fields can be tampered with. This often provides a quick path to full system compromise from a low-privilege foothold.

What This Means For You

  • If your organization uses Movary, you need to patch to version 0.71.1 immediately. This isn't a theoretical flaw; it's a direct path for any authenticated user to become an administrator. Audit your Movary instances for unauthorized admin accounts if you were running an affected version.

Related ATT&CK Techniques

T1078.002 Valid Accounts: Default Accounts Privilege Escalation T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1078.002 Privilege Escalation

Movary User Privilege Escalation via Settings Update - CVE-2026-40349

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40349 Privilege Escalation Movary web app
CVE-2026-40349 Privilege Escalation Movary versions prior to 0.71.1
CVE-2026-40349 Privilege Escalation PUT /settings/users/{userId} endpoint
CVE-2026-40349 Privilege Escalation Parameter 'isAdmin=true' in PUT /settings/users/{userId}

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 18, 2026 at 03:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-40490 — Open Redirect

CVE-2026-40490 — The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)),...

vulnerabilityCVEmedium-severityopen-redirectcwe-200
/SCW Vulnerability Desk /MEDIUM /⚑ 2 IOCs /⚙ 3 Sigma

Postiz AI Tool Vulnerability Allows Account Takeover via XSS

CVE-2026-40487 — Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload...

vulnerabilityCVEhigh-severitycross-site-scripting-xsscwe-79cwe-345cwe-434
/SCW Vulnerability Desk /HIGH /⚑ 5 IOCs /⚙ 7 Sigma

Emissary Workflow Engine Vulnerable to OS Command Injection

CVE-2026-35582 — Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates...

vulnerabilityCVEhigh-severitycommand-injectioncwe-78cwe-116
/SCW Vulnerability Desk /HIGH /⚑ 3 IOCs /⚙ 2 Sigma