Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Authenticated users can see and create other users in Movary
CVE-2026-40350
Summary
Prior to version 0.71.1 of the self-hosted Movary app, any authenticated user could see a list of all users and even create new administrator accounts. This is fixed in version 0.71.1. To stay secure, update to the latest version of Movary.
Original title
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use...
Original description
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue.
nvd CVSS3.1
8.8
Vulnerability type
CWE-863
Incorrect Authorization
Published: 18 Apr 2026 · Updated: 18 Apr 2026 · First seen: 18 Apr 2026