CVE-2026-40350: Movary Authentication Bypass Vulnerability

CVE-2026-40350 Overview

CVE-2026-40350 is a privilege escalation vulnerability in Movary, a self-hosted web application designed for tracking and rating watched movies. Prior to version 0.71.1, an ordinary authenticated user can access administrative user-management endpoints (/settings/users) to enumerate all users and create new administrator accounts. This broken access control vulnerability (CWE-863) occurs because route definitions lack proper admin-only middleware enforcement, and the controller-level authorization check contains a flawed boolean condition.

Critical Impact

Any authenticated user with a valid web session cookie can escalate privileges to administrator, potentially gaining full control over the Movary instance including all user data and application settings.

Affected Products

• Movary versions prior to 0.71.1
• Self-hosted Movary instances running vulnerable versions
• Any deployment where untrusted users have authenticated access

Discovery Timeline

• 2026-04-18 - CVE CVE-2026-40350 published to NVD
• 2026-04-20 - Last updated in NVD database

Technical Details for CVE-2026-40350

Vulnerability Analysis

This vulnerability represents a classic broken access control flaw where administrative functionality is exposed to regular authenticated users. The issue stems from two separate but related failures in the application's authorization layer. First, the route definitions in settings/routes.php failed to apply the UserIsAdmin middleware to the /settings/users endpoints for both GET and POST methods. Second, the UserController.php contained a logic error in its authorization check that used an incorrect boolean operator.

The flaw allows any user who can authenticate to the application to reach the user management interface, enumerate existing users (potentially exposing sensitive account information), and most critically, create new administrator accounts. This provides a straightforward privilege escalation path from any authenticated user to full administrative control.

Root Cause

The root cause involves two distinct coding errors that compound into a severe vulnerability:

1. Missing Middleware at Route Level: The route definitions for /settings/users (GET and POST) did not include the UserIsAdmin middleware, meaning the routing layer performed no administrator checks before passing requests to the controller.

2. Flawed Boolean Logic in Controller: The createUser function in UserController.php used an incorrect boolean operator (&& instead of ||) in its authorization check. The original code checked if the user was NOT authenticated AND NOT an admin, meaning an authenticated non-admin user would bypass the check entirely since the first condition would be false.

Attack Vector

An attacker exploits this vulnerability through the network by authenticating as any regular user and then accessing the administrative endpoints directly. The attack requires only low privileges (a standard user account) and no user interaction. The exploitation path involves:

1. Authenticating to Movary as a regular user
2. Accessing /settings/users endpoint to enumerate all users
3. Sending a POST request to /settings/users to create a new administrator account
4. Logging in with the newly created admin credentials for full control

The following patch demonstrates the fix applied in version 0.71.1:

Route-level fix in settings/routes.php:

     $routes->add('POST', '/settings/netflix/import', [Web\NetflixController::class, 'importNetflixData'], [Web\Middleware\UserIsAuthenticated::class]);
     $routes->add('GET', '/settings/integrations/mastodon', [Web\SettingsController::class, 'renderMastodonPage'], [Web\Middleware\UserIsAuthenticated::class]);
     $routes->add('POST', '/settings/integrations/mastodon', [Web\SettingsController::class, 'updateMastodon'], [Web\Middleware\UserIsAuthenticated::class]);
-    $routes->add('GET', '/settings/users', [Web\UserController::class, 'fetchUsers']);
-    $routes->add('POST', '/settings/users', [Web\UserController::class, 'createUser']);
+    $routes->add('GET', '/settings/users', [Web\UserController::class, 'fetchUsers'], [
+        Web\Middleware\UserIsAuthenticated::class,
+        Web\Middleware\UserIsAdmin::class
+    ]);
+    $routes->add('POST', '/settings/users', [Web\UserController::class, 'createUser'], [
+        Web\Middleware\UserIsAuthenticated::class,
+        Web\Middleware\UserIsAdmin::class
+    ]);
     $routes->add('PUT', '/settings/users/{userId:\d+}', [Web\UserController::class, 'updateUser'], [Web\Middleware\UserIsAuthenticated::class]);
     $routes->add('DELETE', '/settings/users/{userId:\d+}', [Web\UserController::class, 'deleteUser'], [Web\Middleware\UserIsAuthenticated::class]);
     $routes->add('GET', '/settings/locations', [Web\LocationController::class, 'fetchLocations'], [Web\Middleware\UserIsAuthenticated::class]);

Source: GitHub Commit

Controller-level fix in src/HttpController/Web/UserController.php:

     public function createUser(Request $request) : Response
     {
         if ($this->authenticationService->isUserAuthenticatedWithCookie() === false
-            && $this->authenticationService->getCurrentUser()->isAdmin() === false) {
+            || $this->authenticationService->getCurrentUser()->isAdmin() === false) {
             return Response::createForbidden();
         }

Source: GitHub Commit

Detection Methods for CVE-2026-40350

Indicators of Compromise

• Unexpected access logs showing non-admin users requesting /settings/users endpoint
• New administrator accounts appearing without authorized creation
• HTTP POST requests to /settings/users from non-admin session tokens
• Unusual user enumeration patterns in web server access logs

Detection Strategies

• Monitor web server access logs for requests to /settings/users from non-administrative user sessions
• Implement alerting on new administrator account creation events
• Review authentication audit logs for privilege escalation patterns
• Deploy web application firewall (WAF) rules to detect unauthorized access attempts to admin endpoints

Monitoring Recommendations

• Enable detailed logging for all /settings/users endpoint access
• Configure SIEM alerts for administrator account creation outside normal administrative workflows
• Establish baseline of normal admin endpoint access patterns to identify anomalies
• Implement session tracking to correlate user privilege levels with accessed endpoints

How to Mitigate CVE-2026-40350

Immediate Actions Required

• Upgrade Movary to version 0.71.1 or later immediately
• Audit existing user accounts for unauthorized administrator accounts created during the exposure window
• Review access logs for evidence of exploitation prior to patching
• Revoke and regenerate session tokens after applying the patch

Patch Information

The vulnerability is fully addressed in Movary version 0.71.1. The patch implements proper middleware enforcement at the route level and corrects the boolean logic in the controller authorization check. Users should update via the standard Movary update process. For details, see the GitHub Release Version 0.71.1 and the GitHub Security Advisory GHSA-7r3f-9fwv-p43w.

Workarounds

• If immediate patching is not possible, restrict access to the Movary instance at the network level to trusted administrators only
• Implement reverse proxy rules to block access to /settings/users endpoints for non-admin users
• Temporarily disable user registration and limit authenticated access until the patch can be applied
• Consider taking the application offline if it is exposed to untrusted users and patching cannot be done immediately

# Example: Block unauthorized access to admin endpoints via nginx
location /settings/users {
    # Only allow access from admin IP addresses until patch is applied
    allow 192.168.1.0/24;  # Admin network
    deny all;
}