High severity8.8NVD Advisory· Published Apr 18, 2026· Updated Apr 27, 2026

CVE-2026-40349

Description

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending isAdmin=true to PUT /settings/users/{userId} for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive isAdmin field without any admin-only authorization check. Version 0.71.1 patches the issue.

Affected products

Leepeuker/Movary
cpe:2.3:a:leepeuker:movary:*:*:*:*:*:*:*:*
Range: <0.71.1

Patches

12c8a090051b

https://github.com/leepeuker/movaryvia nvd-ref

commit PR #750

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/leepeuker/movary/commit/12c8a090051b1a1c07a3aa48922f3bc9ffe44c8bnvdPatch
github.com/leepeuker/movary/pull/750nvdIssue TrackingPatch
github.com/leepeuker/movary/security/advisories/GHSA-mcfq-8rx7-w25vnvdExploitVendor Advisory
github.com/leepeuker/movary/releases/tag/0.71.1nvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000