CVE-2026-40349 Overview
CVE-2026-40349 is a privilege escalation vulnerability in Movary, a self-hosted web application for tracking and rating watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator privileges by sending isAdmin=true to PUT /settings/users/{userId} for their own user ID. The vulnerable endpoint is designed to allow users to edit their own profile settings, but it improperly updates the sensitive isAdmin field without any admin-only authorization check, allowing any authenticated user to grant themselves administrative access.
Critical Impact
Authenticated users can escalate their privileges to administrator level, gaining full control over the Movary application including access to all user data and administrative functions.
Affected Products
- Movary versions prior to 0.71.1
Discovery Timeline
- 2026-04-18 - CVE CVE-2026-40349 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40349
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization), representing a broken access control flaw where the application fails to enforce proper authorization checks on a sensitive administrative operation. The PUT /settings/users/{userId} endpoint accepts user profile update requests but does not validate whether the requesting user has administrative privileges before processing updates to privileged fields like isAdmin.
The attack can be executed remotely over the network by any authenticated user with low complexity. No user interaction is required, and the attacker can fully compromise the confidentiality, integrity, and availability of the application by gaining unauthorized administrative access.
Root Cause
The root cause is a missing authorization middleware on the user update endpoint. The route handler for PUT /settings/users/{userId} was configured with only the UserIsAuthenticated middleware, omitting the critical UserIsAdmin middleware that should gate administrative field modifications. This allowed any authenticated user to modify administrative fields in their own profile, including the isAdmin flag.
Attack Vector
An attacker with a valid authenticated session can exploit this vulnerability by:
- Authenticating to the Movary application with any valid user account
- Capturing or crafting a PUT request to /settings/users/{userId} where {userId} is their own user ID
- Including isAdmin=true in the request body
- Submitting the request to immediately escalate to administrator privileges
- Accessing administrative functions to modify other users, export data, or manipulate the application
The following patch demonstrates how the vulnerability was addressed by adding the UserIsAdmin middleware to the affected routes:
Web\Middleware\UserIsAuthenticated::class,
Web\Middleware\UserIsAdmin::class
]);
- $routes->add('PUT', '/settings/users/{userId:\d+}', [Web\UserController::class, 'updateUser'], [Web\Middleware\UserIsAuthenticated::class]);
- $routes->add('DELETE', '/settings/users/{userId:\d+}', [Web\UserController::class, 'deleteUser'], [Web\Middleware\UserIsAuthenticated::class]);
+ $routes->add('PUT', '/settings/users/{userId:\d+}', [Web\UserController::class, 'updateUser'], [
+ Web\Middleware\UserIsAuthenticated::class,
+ Web\Middleware\UserIsAdmin::class
+ ]);
+ $routes->add('DELETE', '/settings/users/{userId:\d+}', [Web\UserController::class, 'deleteUser'], [
+ Web\Middleware\UserIsAuthenticated::class,
+ Web\Middleware\UserIsAdmin::class
+ ]);
$routes->add('GET', '/settings/locations', [Web\LocationController::class, 'fetchLocations'], [Web\Middleware\UserIsAuthenticated::class]);
$routes->add('POST', '/settings/locations', [Web\LocationController::class, 'createLocation'], [Web\Middleware\UserIsAuthenticated::class]);
$routes->add('PUT', '/settings/locations/{locationId:\d+}', [Web\LocationController::class, 'updateLocation'], [Web\Middleware\UserIsAuthenticated::class]);
Source: GitHub Commit Update
Detection Methods for CVE-2026-40349
Indicators of Compromise
- Unexpected changes to user isAdmin field values in the database
- Non-administrator user accounts suddenly appearing with administrative privileges
- HTTP PUT requests to /settings/users/{userId} containing isAdmin parameter from non-admin sessions
- Unusual administrative actions performed by previously non-privileged user accounts
Detection Strategies
- Monitor web server access logs for PUT requests to /settings/users/ endpoints containing isAdmin in the request body
- Implement database audit logging to track changes to the isAdmin field in user records
- Configure alerting for any user privilege changes that occur outside of expected administrative workflows
- Review application logs for authorization bypass patterns or unexpected privilege modifications
Monitoring Recommendations
- Enable detailed HTTP request logging including request bodies for sensitive administrative endpoints
- Set up real-time alerts for any modifications to user privilege levels in the database
- Implement anomaly detection for users performing administrative actions immediately after profile updates
- Regularly audit user accounts to identify unauthorized privilege escalations
How to Mitigate CVE-2026-40349
Immediate Actions Required
- Upgrade Movary to version 0.71.1 or later immediately
- Audit all user accounts to identify any unauthorized administrator accounts
- Revoke administrative privileges from any accounts that should not have them
- Review access logs for evidence of prior exploitation attempts
Patch Information
The vulnerability is patched in Movary version 0.71.1. The fix adds the UserIsAdmin middleware to the PUT /settings/users/{userId} and DELETE /settings/users/{userId} routes, ensuring that only authenticated administrators can modify or delete user accounts.
For detailed patch information, see:
Workarounds
- If immediate upgrade is not possible, restrict network access to the Movary instance to trusted users only
- Implement a web application firewall (WAF) rule to block PUT requests to /settings/users/ endpoints containing the isAdmin parameter
- Regularly audit and monitor user privilege levels to detect unauthorized escalations
- Consider placing the application behind an additional authentication layer until patched
# Example: Update Movary to patched version
cd /path/to/movary
git fetch --tags
git checkout 0.71.1
composer install --no-dev
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
