{"id":"CVE-2026-40349","summary":"Authenticated Movary User Can Self-Escalate to Administrator via PUT /settings/users/{userId} by Setting isAdmin=true","details":"Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue.","aliases":["GHSA-mcfq-8rx7-w25v"],"modified":"2026-07-15T01:49:09.156800361Z","published":"2026-04-18T00:05:46.360Z","database_specific":{"cwe_ids":["CWE-862"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40349.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/leepeuker/movary/releases/tag/0.71.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40349.json"},{"type":"ADVISORY","url":"https://github.com/leepeuker/movary/security/advisories/GHSA-mcfq-8rx7-w25v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40349"},{"type":"FIX","url":"https://github.com/leepeuker/movary/commit/12c8a090051b1a1c07a3aa48922f3bc9ffe44c8b"},{"type":"FIX","url":"https://github.com/leepeuker/movary/pull/750"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/leepeuker/movary","events":[{"introduced":"0"},{"fixed":"d459b3513293d41254f7093aef07010a8e5dcf04"},{"fixed":"12c8a090051b1a1c07a3aa48922f3bc9ffe44c8b"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"0.71.1"}],"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:leepeuker:movary:*:*:*:*:*:*:*:*"}}],"versions":["0.71.0","0.70.1","0.70.0","0.69.0","0.68.0","0.67.0","0.66.2","0.66.1","0.66.0","0.65.0","0.64.1","0.64.0","0.63.0","0.62.2","0.62.1","0.62.0","0.61.0","0.60.0","0.59.0","0.58.0","0.57.0","0.56.0","0.55.1","0.55.0","0.54.0","0.53.1","0.53.0","0.52.0","0.51.0","0.50.0","0.49.0","0.48.1","0.48.0","0.47.4","0.47.3","0.47.2","0.47.1","0.47.0","0.46.1","0.46.0","0.45.0","0.44.0","0.43.0","0.42.0","0.41.0","0.40.0","0.39.4","0.39.3","0.39.2","0.39.1","0.39.0","0.38.1","0.38.0","0.37.0","0.36.0","0.35.8","0.35.7","0.35.6","0.35.5","0.35.4","0.35.3","0.35.2","0.35.1","0.35.0","0.34.0","0.33.3","0.33.2","0.33.1","0.33.0","0.32.2","0.32.1","0.32.0","0.31.1","0.31.0","0.30.0","0.29.1","0.29.0","0.28.1","0.28.0","0.27.0","0.26.4","0.26.3","0.26.2","0.26.1","0.26.0","0.25.4","0.25.3","0.25.2","0.25.1","0.25.0","0.24.0","0.23.0","0.22.0","0.21.2","0.21.1","0.21.0","0.20.1","0.20.0","0.19.4","0.19.3","0.19.2","0.19.1","0.19.0","0.18.1","0.18.0","0.17.0","0.16.1","0.16.0","0.15.1","0.15.0","0.14.1","0.14.0","0.13.0","0.12.0","0.11.0","0.10.0","0.9.3","0.9.2","0.9.1","0.9.0","0.8.0","0.7.0","0.6.0","0.5.0","0.4.2","0.4.1","0.4.0","0.3.0","0.2.0","0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40349.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}