Attack Chain

1. An attacker authenticates to the Movary web application with a valid user account.
2. The attacker crafts a malicious URL targeting an internal resource, such as http://127.0.0.1/.
3. The attacker sends a POST request to /settings/jellyfin/server-url-verify with the crafted URL as the serverUrl parameter.
4. The Movary server receives the request and appends /system/info/public to the user-provided URL.
5. The Movary server uses the Guzzle HTTP client to initiate an HTTP request to the modified URL (e.g., http://127.0.0.1/system/info/public).
6. The internal service at the targeted IP address responds to the Movary server.
7. Based on the HTTP response code and content, the attacker can infer the existence and status of internal services. This allows for port scanning and service fingerprinting.
8. The attacker leverages discovered services to escalate privileges, potentially accessing sensitive data or internal administrative panels.

Impact

Successful exploitation of the SSRF vulnerability (CVE-2026-40348) in Movary can enable attackers to discover internal network infrastructure and identify vulnerable services. This can allow attackers to gain unauthorized access to sensitive information, pivot to other internal systems, or perform other malicious activities. Although no specific victim count is given, the impact of this vulnerability is potentially high for any organization using a vulnerable version of Movary.

Recommendation

• Upgrade Movary to version 0.71.1 or later to patch the SSRF vulnerability (CVE-2026-40348).
• Deploy the Sigma rule Detect Movary SSRF Attempt to identify potential exploitation attempts in web server logs.
• Implement network segmentation and access controls to restrict access to sensitive internal services, limiting the impact of potential SSRF attacks.