CVE-2026-40349: CWE-862: Missing Authorization in leepeuker movary
A missing authorization vulnerability exists in leepeuker movary versions prior to 0. 71. 1, allowing an authenticated user to escalate their privileges to administrator by modifying the isAdmin field via the PUT /settings/users/{userId} endpoint. This endpoint intended for profile edits does not restrict changes to the sensitive isAdmin attribute. The issue is patched in version 0. 71. 1.
AI Analysis
Technical Summary
CVE-2026-40349 describes a missing authorization (CWE-862) vulnerability in the movary web application before version 0.71.1. Authenticated users can escalate their privileges to administrator by sending isAdmin=true in a PUT request to their own user settings endpoint. The application fails to enforce admin-only authorization checks on this sensitive field, allowing privilege escalation. The vulnerability has a CVSS 3.1 score of 8.8, indicating high severity. The issue is fixed in movary version 0.71.1.
Potential Impact
An attacker with an ordinary authenticated account can escalate privileges to administrator, gaining full control over the application. This can lead to complete compromise of movary instances, including unauthorized access to all user data and administrative functions. The vulnerability impacts confidentiality, integrity, and availability as reflected in the CVSS vector.
Mitigation Recommendations
Upgrade movary to version 0.71.1 or later, where this authorization flaw is patched. Since the vendor advisory indicates the issue is fixed in 0.71.1, applying this official update is the recommended remediation. No other mitigation is specified or required.
CVE-2026-40349: CWE-862: Missing Authorization in leepeuker movary
Description
A missing authorization vulnerability exists in leepeuker movary versions prior to 0. 71. 1, allowing an authenticated user to escalate their privileges to administrator by modifying the isAdmin field via the PUT /settings/users/{userId} endpoint. This endpoint intended for profile edits does not restrict changes to the sensitive isAdmin attribute. The issue is patched in version 0. 71. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40349 describes a missing authorization (CWE-862) vulnerability in the movary web application before version 0.71.1. Authenticated users can escalate their privileges to administrator by sending isAdmin=true in a PUT request to their own user settings endpoint. The application fails to enforce admin-only authorization checks on this sensitive field, allowing privilege escalation. The vulnerability has a CVSS 3.1 score of 8.8, indicating high severity. The issue is fixed in movary version 0.71.1.
Potential Impact
An attacker with an ordinary authenticated account can escalate privileges to administrator, gaining full control over the application. This can lead to complete compromise of movary instances, including unauthorized access to all user data and administrative functions. The vulnerability impacts confidentiality, integrity, and availability as reflected in the CVSS vector.
Mitigation Recommendations
Upgrade movary to version 0.71.1 or later, where this authorization flaw is patched. Since the vendor advisory indicates the issue is fixed in 0.71.1, applying this official update is the recommended remediation. No other mitigation is specified or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T22:50:01.359Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e389f6bdfbbecc5976511a
Added to database: 4/18/2026, 1:41:10 PM
Last enriched: 4/18/2026, 1:53:02 PM
Last updated: 4/18/2026, 3:26:02 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.