Platform
nodejs
Component
movary
Fixed in
0.71.2
CVE-2026-40350 affects Movary, a self-hosted web application for tracking and rating movies, prior to version 0.71.1. This vulnerability allows authenticated users to bypass authorization checks and create new administrator accounts, potentially granting them full control over the application. The vulnerability stems from a flawed boolean condition in the user-management endpoints. A fix is available in version 0.71.1.
An attacker exploiting this vulnerability could gain unauthorized administrative access to the Movary instance. This would allow them to modify user accounts, change application settings, access sensitive data, and potentially compromise the entire system. The impact is significant, as a malicious administrator could completely control the application and its data. This vulnerability is particularly concerning for self-hosted deployments where security best practices might not be consistently followed, increasing the likelihood of exploitation.
CVE-2026-40350 was publicly disclosed on 2026-04-18. There are currently no known public proof-of-concept exploits available. The EPSS score is likely to be medium, given the relatively straightforward nature of the exploit and the potential for significant impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40350 is to immediately upgrade Movary to version 0.71.1 or later. If upgrading is not immediately feasible, consider implementing stricter access controls at the web server level to restrict access to the /settings/users endpoint. While not a complete solution, this can provide a temporary layer of defense. Review user accounts and permissions for any unexpected administrator accounts that may have been created. After upgrading, confirm the fix by attempting to create a new administrator account with a standard user account – it should be denied.
Update Movary to version 0.71.1 or higher to fix the authorization bypass vulnerability. This update implements proper authorization checking to restrict access to administrative functions to users with administrative privileges.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40350 is a HIGH severity vulnerability in Movary versions 0.0.0 - <0.71.1 that allows authenticated users to create administrator accounts due to a flawed authorization check.
You are affected if you are running Movary version 0.0.0 through 0.71.0. Check your version and upgrade immediately if vulnerable.
Upgrade Movary to version 0.71.1 or later to patch the vulnerability. If upgrading is not possible, restrict access to the /settings/users endpoint at the web server level.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the Movary project's official website or GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.