{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40349/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-40349"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","web-application","cve-2026-40349"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMovary is a self-hosted web application designed for users to track and rate movies they have watched. Prior to version 0.71.1, the application contains a privilege escalation vulnerability (CVE-2026-40349). An authenticated user could modify their account to gain administrative privileges without proper authorization. This is achieved by sending a PUT request to the \u003ccode\u003e/settings/users/{userId}\u003c/code\u003e endpoint with the \u003ccode\u003eisAdmin\u003c/code\u003e field set to \u003ccode\u003etrue\u003c/code\u003e. This vulnerability exists because the application fails to implement sufficient authorization checks before updating the sensitive \u003ccode\u003eisAdmin\u003c/code\u003e field. Version 0.71.1 addresses this issue, mitigating the risk of unauthorized privilege escalation. The vulnerable versions expose self-hosted Movary instances to potential compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Movary instance with a valid, non-administrative user account.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the vulnerable \u003ccode\u003e/settings/users/{userId}\u003c/code\u003e endpoint that manages user profile settings.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a PUT request to \u003ccode\u003e/settings/users/{userId}\u003c/code\u003e, substituting \u003ccode\u003e{userId}\u003c/code\u003e with their own user ID.\u003c/li\u003e\n\u003cli\u003eThe PUT request includes the parameter \u003ccode\u003eisAdmin=true\u003c/code\u003e within the request body, attempting to modify the user\u0026rsquo;s privilege level.\u003c/li\u003e\n\u003cli\u003eThe Movary server processes the PUT request without performing adequate authorization checks to verify the user\u0026rsquo;s authority to modify the \u003ccode\u003eisAdmin\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe server updates the user\u0026rsquo;s account, setting the \u003ccode\u003eisAdmin\u003c/code\u003e flag to \u003ccode\u003etrue\u003c/code\u003e, effectively granting the attacker administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker logs out and back into the Movary instance.\u003c/li\u003e\n\u003cli\u003eUpon re-authentication, the attacker now possesses administrative privileges and can access and modify sensitive data, configurations, and potentially compromise the entire Movary instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain full administrative control over a Movary instance. This could lead to unauthorized access to user data, modification or deletion of movies and ratings, and potentially complete compromise of the server hosting the application. The number of affected instances is unknown but depends on the number of deployments running vulnerable versions of Movary. The severity is high, as it allows a low-privilege user to gain complete control over the application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Movary instances to version 0.71.1 or later to remediate the vulnerability (references: Overview section).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious PUT requests to \u003ccode\u003e/settings/users/{userId}\u003c/code\u003e attempting to modify the \u003ccode\u003eisAdmin\u003c/code\u003e parameter (references: Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement input validation and authorization checks on the server-side to prevent unauthorized modification of sensitive user attributes (references: CVE-2026-40349 description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T00:16:38Z","date_published":"2026-04-18T00:16:38Z","id":"/briefs/2026-04-movary-privesc/","summary":"Movary versions prior to 0.71.1 allow authenticated users to escalate privileges to administrator by manipulating the `isAdmin` field via a PUT request to the `/settings/users/{userId}` endpoint, due to missing authorization checks.","title":"Movary Privilege Escalation Vulnerability (CVE-2026-40349)","url":"https://feed.craftedsignal.io/briefs/2026-04-movary-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-40349","version":"https://jsonfeed.org/version/1.1"}