CVE-2026-40350 | leepeuker movary up to 0.71.0 Setting /settings/users authorization (GHSA-7r3f-9fwv-p43w)
VulDBArchived Apr 18, 2026✓ Full text saved
A vulnerability was found in leepeuker movary up to 0.71.0 . It has been rated as critical . Affected by this issue is some unknown functionality of the file /settings/users of the component Setting Handler . This manipulation causes incorrect authorization. This vulnerability appears as CVE-2026-40350 . The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is advised.
Full text archived locally
✦ AI Summary· Claude Sonnet
VDB-358184 · CVE-2026-40350 · GHSA-7R3F-9FWV-P43W
LEEPEUKER MOVARY UP TO 0.71.0 SETTING /SETTINGS/USERS AUTHORIZATION
HISTORYDIFFRELATEJSONXMLCTI
CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score
7.4 $0-$5k 0.76+
Summaryinfo
A vulnerability categorized as critical has been discovered in leepeuker movary up to 0.71.0. This affects an unknown part of the file /settings/users of the component Setting Handler. Such manipulation leads to authorization. This vulnerability is traded as CVE-2026-40350. The attack may be launched remotely. There is no exploit available. It is advisable to upgrade the affected component.
Detailsinfo
A vulnerability, which was classified as critical, has been found in leepeuker movary up to 0.71.0. Affected by this issue is an unknown functionality of the file /settings/users of the component Setting Handler. The manipulation with an unknown input leads to a authorization vulnerability. Using CWE to declare the problem leads to CWE-863. The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. Impacted is confidentiality, integrity, and availability. CVE summarizes:
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue.
The advisory is shared for download at github.com. This vulnerability is handled as CVE-2026-40350 since 04/11/2026. The exploitation is known to be easy. The attack may be launched remotely. There are known technical details, but no exploit is available.
Upgrading to version 0.71.1 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 92c7400486f5fe9f350046e04e45a8502778bf39 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
Productinfo
Vendor
leepeuker
Name
movary
Version
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
0.10
0.11
0.12
0.13
0.14
0.15
0.16
0.17
0.18
0.19
0.20
0.21
0.22
0.23
0.24
0.25
0.26
0.27
0.28
0.29
0.30
0.31
0.32
0.33
0.34
0.35
0.36
0.37
0.38
0.39
0.40
0.41
0.42
0.43
0.44
0.45
0.46
0.47
0.48
0.49
0.50
0.51
0.52
0.53
0.54
0.55
0.56
0.57
0.58
0.59
0.60
0.61
0.62
0.63
0.64
0.65
0.66
0.67
0.68
0.69
0.70
0.71.0
License
open-source
Website
Product: https://github.com/leepeuker/movary/
CPE 2.3info
🔒
🔒
🔒
CPE 2.2info
🔒
🔒
🔒
CVSSv4info
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv3info
VulDB Meta Base Score: 7.6
VulDB Meta Temp Score: 7.4
VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 8.8
CNA Vector (GitHub_M): 🔒
CVSSv2info
Vector Complexity Authentication Confidentiality Integrity Availability
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploitinginfo
Class: Authorization
CWE: CWE-863 / CWE-285 / CWE-266
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔒
0-Day Unlock Unlock Unlock Unlock
Today Unlock Unlock Unlock Unlock
Threat Intelligenceinfo
Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍
Countermeasuresinfo
Recommended: Upgrade
Status: 🔍
0-Day Time: 🔒
Upgrade: movary 0.71.1
Patch: 92c7400486f5fe9f350046e04e45a8502778bf39
Timelineinfo
04/11/2026 CVE reserved
04/18/2026 +7 days Advisory disclosed
04/18/2026 +0 days VulDB entry created
04/18/2026 +0 days VulDB entry last update
Sourcesinfo
Product: github.com
Advisory: GHSA-7r3f-9fwv-p43w
Status: Confirmed
CVE: CVE-2026-40350 (🔒)
GCVE (CVE): GCVE-0-2026-40350
GCVE (VulDB): GCVE-100-358184
Entryinfo
Created: 04/18/2026 09:24
Changes: 04/18/2026 09:24 (68)
Complete: 🔍
Cache ID: 99:AD4:101
Discussion
No comments yet. Languages: en.
Please log in to comment.
◂ PreviousOverviewNext ▸