Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Movary before 0.71.1: Users can give themselves admin access
CVE-2026-40349
Summary
Before version 0.71.1, a user who has logged in to their own account could grant themselves administrator privileges by making a special request to the server. This could allow them to do things they normally wouldn't be able to do. Upgrade to version 0.71.1 to fix this issue.
Original title
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmi...
Original description
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue.
nvd CVSS3.1
8.8
Vulnerability type
CWE-862
Missing Authorization
Published: 18 Apr 2026 · Updated: 18 Apr 2026 · First seen: 18 Apr 2026