CVE-2026-40349

HIGH 8.8

Authenticated Movary User Can Self-Escalate to Administrator via PUT /settings/users/{userId} by Setting isAdmin=true

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue.

CWE	CWE-862
Vendor	leepeuker
Product	movary
Published	Apr 18, 2026

Stay Ahead of the Next One

Get instant alerts for leepeuker movary

Be the first to know when new high vulnerabilities affecting leepeuker movary are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

leepeuker / movary

< 0.71.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/leepeuker/movary/security/advisories/GHSA-mcfq-8rx7-w25v github.com: https://github.com/leepeuker/movary/pull/750 github.com: https://github.com/leepeuker/movary/commit/12c8a090051b1a1c07a3aa48922f3bc9ffe44c8b github.com: https://github.com/leepeuker/movary/releases/tag/0.71.1