Unauthorized Access Vulnerability in Movary Web App by Leepeuker
CVE-2026-40350

8.8HIGH

Key Information:

Vendor

Leepeuker

Status
Movary
Vendor
CVE Published:
18 April 2026

What is CVE-2026-40350?

Movary, a self-hosted web application for tracking and rating movies, has a significant vulnerability that allows ordinary authenticated users to access sensitive user-management endpoints. Specifically, users can enumerate all existing users and even create a new administrator account. This issue arises due to a lack of proper access controls, as the route definitions fail to enforce admin-only restrictions. Additionally, a flawed boolean condition in the controller-level authorization check permits users with valid session cookies to exploit functionalities that should only be available to administrators. The issue has been resolved in version 0.71.1, which implements the necessary security measures.

Affected Version(s)

movary < 0.71.1

References

https://github.com/leepeuker/movary/security/advisories/G...
x_refsource_CONFIRM
https://github.com/leepeuker/movary/pull/749
x_refsource_MISC
https://github.com/leepeuker/movary/commit/92c7400486f5fe...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.