Movary Flaw Allows Admin Account Creation, High-Severity Risk
The National Vulnerability Database has disclosed CVE-2026-40350, a high-severity vulnerability (CVSS 8.8) affecting Movary, a self-hosted web application for tracking movies. Prior to version 0.71.1, an authenticated user could exploit flaws in route definitions and controller-level authorization to enumerate all users and create a new administrator account. This bypasses intended access controls, granting full administrative privileges to an attacker with a valid web session.
The core issue, identified as CWE-863 (Improper Authorization), stems from Movary’s failure to enforce administrative-only middleware on critical user-management endpoints like /settings/users. Compounding this, the authorization check at the controller level utilized a broken boolean condition. This allowed any logged-in user to access functionality that should have been strictly restricted to administrators, demonstrating a critical failure in the application’s security architecture.
For defenders, this means a low-privilege user can escalate to full admin. The attacker’s calculus is simple: get any valid user session, then elevate. This isn’t a complex RCE, it’s a fundamental authorization breakdown. Movary version 0.71.1 patches this critical flaw, making immediate upgrades essential for anyone running the application.
What This Means For You
- If your organization uses Movary, you must immediately verify your version. If it's prior to 0.71.1, prioritize patching to version 0.71.1 without delay. After patching, audit your user accounts for any unauthorized administrator accounts that may have been created. This vulnerability is a straight path to full control for an attacker who gains even basic authenticated access.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40350 - Movary Unauthenticated Admin Account Creation
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40350 | Privilege Escalation | Movary web app versions < 0.71.1 |
| CVE-2026-40350 | Privilege Escalation | Movary endpoint: /settings/users |
| CVE-2026-40350 | Information Disclosure | Movary endpoint: /settings/users (user enumeration) |
| CVE-2026-40350 | Auth Bypass | Movary: broken boolean condition in controller-level authorization |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 18, 2026 at 04:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-40490 — Open Redirect
CVE-2026-40490 — The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)),...
Postiz AI Tool Vulnerability Allows Account Takeover via XSS
CVE-2026-40487 — Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload...
Emissary Workflow Engine Vulnerable to OS Command Injection
CVE-2026-35582 — Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates...