{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40350/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-40350"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Movary"],"_cs_severities":["high"],"_cs_tags":["cve-2026-40350","privilege-escalation","web-application"],"_cs_type":"advisory","_cs_vendors":["Movary"],"content_html":"\u003cp\u003eMovary, a self-hosted web application for tracking and rating movies, contains a privilege escalation vulnerability, identified as CVE-2026-40350, in versions prior to 0.71.1. This flaw allows any authenticated user, regardless of their assigned role, to access sensitive user management endpoints typically reserved for administrators. Specifically, an attacker can leverage the \u003ccode\u003e/settings/users\u003c/code\u003e endpoint to enumerate all existing users and create new administrator accounts. The root cause lies in the absence of proper admin-only middleware enforcement in the route definitions and a broken boolean condition within the controller-level authorization check. Successful exploitation grants the attacker complete administrative control over the Movary instance. The vulnerability was patched in version 0.71.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Movary application by creating a standard user account or compromising an existing non-admin account using valid credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Movary web application, establishing a valid web session.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET or POST request targeting the \u003ccode\u003e/settings/users\u003c/code\u003e endpoint, typically intended for administrator access.\u003c/li\u003e\n\u003cli\u003eDue to the missing admin-only middleware, the request is not blocked, and the application proceeds to process it.\u003c/li\u003e\n\u003cli\u003eThe application's controller-level authorization check contains a flawed boolean condition that fails to properly restrict access based on user roles.\u003c/li\u003e\n\u003cli\u003eThe application enumerates all existing users, exposing their usernames and potentially other details to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a new HTTP POST request to create a new user account, specifying administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe flawed authorization check allows the creation of the new administrator account, granting the attacker full control over the Movary instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40350 allows an attacker to gain complete administrative control over a vulnerable Movary instance. This can lead to unauthorized data access, modification, or deletion, as well as the potential for further malicious activities, such as deploying backdoors or compromising the underlying server. The number of affected Movary installations is currently unknown. Organizations and individuals using Movary are urged to upgrade to version 0.71.1 immediately.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Movary installations to version 0.71.1 to remediate CVE-2026-40350.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u0026quot;Movary User Management Endpoint Access\u0026quot; to detect unauthorized access attempts to \u003ccode\u003e/settings/users\u003c/code\u003e in web server logs.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for suspicious activity targeting the \u003ccode\u003e/settings/users\u003c/code\u003e endpoint, especially requests from non-administrator users.\u003c/li\u003e\n\u003cli\u003eEnable stricter role-based access control mechanisms for web applications to prevent similar privilege escalation vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-26-movary-privesc/","summary":"Movary versions prior to 0.71.1 are vulnerable to a privilege escalation, allowing authenticated non-admin users to access user management endpoints and create new administrator accounts due to missing middleware and flawed authorization checks.","title":"Movary Privilege Escalation via User Management Endpoint Access (CVE-2026-40350)","url":"https://feed.craftedsignal.io/briefs/2024-01-26-movary-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-40350","version":"https://jsonfeed.org/version/1.1"}