{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40349", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T22:50:01.359Z", "datePublished": "2026-04-18T00:05:46.360Z", "dateUpdated": "2026-04-20T16:15:49.844Z"}, "containers": {"cna": {"title": "Authenticated Movary User Can Self-Escalate to Administrator via PUT /settings/users/{userId} by Setting isAdmin=true", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/leepeuker/movary/security/advisories/GHSA-mcfq-8rx7-w25v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/leepeuker/movary/security/advisories/GHSA-mcfq-8rx7-w25v"}, {"name": "https://github.com/leepeuker/movary/pull/750", "tags": ["x_refsource_MISC"], "url": "https://github.com/leepeuker/movary/pull/750"}, {"name": "https://github.com/leepeuker/movary/commit/12c8a090051b1a1c07a3aa48922f3bc9ffe44c8b", "tags": ["x_refsource_MISC"], "url": "https://github.com/leepeuker/movary/commit/12c8a090051b1a1c07a3aa48922f3bc9ffe44c8b"}, {"name": "https://github.com/leepeuker/movary/releases/tag/0.71.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/leepeuker/movary/releases/tag/0.71.1"}], "affected": [{"vendor": "leepeuker", "product": "movary", "versions": [{"version": "< 0.71.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T00:05:46.360Z"}, "descriptions": [{"lang": "en", "value": "Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue."}], "source": {"advisory": "GHSA-mcfq-8rx7-w25v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:10:42.542772Z", "id": "CVE-2026-40349", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:15:49.844Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40349", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T16:10:42.542772Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:10:43.599Z"}}], "cna": {"title": "Authenticated Movary User Can Self-Escalate to Administrator via PUT /settings/users/{userId} by Setting isAdmin=true", "source": {"advisory": "GHSA-mcfq-8rx7-w25v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "leepeuker", "product": "movary", "versions": [{"status": "affected", "version": "< 0.71.1"}]}], "references": [{"url": "https://github.com/leepeuker/movary/security/advisories/GHSA-mcfq-8rx7-w25v", "name": "https://github.com/leepeuker/movary/security/advisories/GHSA-mcfq-8rx7-w25v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/leepeuker/movary/pull/750", "name": "https://github.com/leepeuker/movary/pull/750", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/leepeuker/movary/commit/12c8a090051b1a1c07a3aa48922f3bc9ffe44c8b", "name": "https://github.com/leepeuker/movary/commit/12c8a090051b1a1c07a3aa48922f3bc9ffe44c8b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/leepeuker/movary/releases/tag/0.71.1", "name": "https://github.com/leepeuker/movary/releases/tag/0.71.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T00:05:46.360Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40349", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:15:49.844Z", "dateReserved": "2026-04-10T22:50:01.359Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-18T00:05:46.360Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:leepeuker:movary:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B267141-8A10-4807-B49C-F74FEB767E1F", "versionEndExcluding": "0.71.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue."}], "id": "CVE-2026-40349", "lastModified": "2026-04-27T14:09:21.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T00:16:38.817", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/leepeuker/movary/commit/12c8a090051b1a1c07a3aa48922f3bc9ffe44c8b"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/leepeuker/movary/pull/750"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/leepeuker/movary/releases/tag/0.71.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/leepeuker/movary/security/advisories/GHSA-mcfq-8rx7-w25v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.71.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "movary", "source": "cna", "vendor": "leepeuker"}, "product": "movary", "vendor": "leepeuker"}], "analysis": {"en": {"generated_at": "2026-04-18T17:03:23.961832+00:00", "value": {"mitigation_remediation": ["Upgrade Movary to version 0.71.1 or later to apply the official patch", "Disallow the isAdmin field from being altered via the public API by implementing an admin\u2011only authorization check or removing the field from the endpoint\u2019s payload", "If an upgrade is temporarily impossible, isolate the /settings/users/{userId} endpoint behind strict access controls and monitor for suspicious requests", "Review all user accounts to ensure no unintended administrative privileges exist"], "summary": {"action": "Patch", "impact": "Privilege Escalation to Administrator"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Movary self\u2011hosted movie\u2011tracking application produced by leepeuker. All installations running version 0.70.x or earlier are impacted; version 0.71.1 and later contain the fix.", "description_and_impact": "An authenticated user can gain administrative privileges by sending a PUT request to /settings/users/{userId} with isAdmin=true. The endpoint, intended for self\u2011profile edits, lacks an admin\u2011only authorization check, enabling a normal user to flip the isAdmin flag and elevate themselves. This flaw is a classic privilege\u2011escalation flaw (CWE\u2011862) that enables the user to obtain administrative rights; the CVE description does not detail the exact extent of actions available to an administrator.", "risk_and_exploitability": "The CVSS score of 8.8 classifies the issue as high severity. Exploitation requires only a valid user session\u2014no additional privileges or external conditions are needed. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of restrictions on the endpoint means that a legitimate user can easily execute the upgrade path. The threat remains significant until the application is updated."}}}}, "created": "2026-04-18T01:30:15.917637+00:00", "updated": "2026-04-18T17:15:05.773747+00:00", "vendors": ["leepeuker", "leepeuker$PRODUCT$movary"]}