CVE-2026-40350: CWE-863: Incorrect Authorization in leepeuker movary
CVE-2026-40350 is an authorization vulnerability in leepeuker movary versions prior to 0. 71. 1. It allows any authenticated user to access user-management endpoints that should be restricted to administrators. This flaw arises from missing admin-only middleware on certain routes and a faulty boolean condition in the controller-level authorization check. Exploiting this, an attacker can enumerate all users and create new administrator accounts. The issue is patched in version 0. 71. 1.
AI Analysis
Technical Summary
The vulnerability in movary before version 0.71.1 involves incorrect authorization (CWE-863) on the `/settings/users` endpoints. These endpoints lack proper admin-only middleware enforcement, and the controller uses a broken boolean condition to verify permissions. Consequently, any user with a valid authenticated session can perform administrative actions such as enumerating users and creating new admin accounts. This elevates privileges beyond intended access controls. The vendor fixed this issue in version 0.71.1.
Potential Impact
An attacker with any authenticated user credentials can bypass intended access controls to enumerate all users and create new administrator accounts. This leads to full compromise of the movary application, including confidentiality, integrity, and availability impacts as reflected by the CVSS score of 8.8 (high severity).
Mitigation Recommendations
Upgrade movary to version 0.71.1 or later, where this authorization flaw is patched. Since no official patch link or advisory is provided, verify the upgrade from the vendor's official release notes or repository. Until upgraded, restrict access to the application to trusted users only.
CVE-2026-40350: CWE-863: Incorrect Authorization in leepeuker movary
Description
CVE-2026-40350 is an authorization vulnerability in leepeuker movary versions prior to 0. 71. 1. It allows any authenticated user to access user-management endpoints that should be restricted to administrators. This flaw arises from missing admin-only middleware on certain routes and a faulty boolean condition in the controller-level authorization check. Exploiting this, an attacker can enumerate all users and create new administrator accounts. The issue is patched in version 0. 71. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in movary before version 0.71.1 involves incorrect authorization (CWE-863) on the `/settings/users` endpoints. These endpoints lack proper admin-only middleware enforcement, and the controller uses a broken boolean condition to verify permissions. Consequently, any user with a valid authenticated session can perform administrative actions such as enumerating users and creating new admin accounts. This elevates privileges beyond intended access controls. The vendor fixed this issue in version 0.71.1.
Potential Impact
An attacker with any authenticated user credentials can bypass intended access controls to enumerate all users and create new administrator accounts. This leads to full compromise of the movary application, including confidentiality, integrity, and availability impacts as reflected by the CVSS score of 8.8 (high severity).
Mitigation Recommendations
Upgrade movary to version 0.71.1 or later, where this authorization flaw is patched. Since no official patch link or advisory is provided, verify the upgrade from the vendor's official release notes or repository. Until upgraded, restrict access to the application to trusted users only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T22:50:01.359Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2d977bdfbbecc59bbf81f
Added to database: 4/18/2026, 1:08:07 AM
Last enriched: 4/18/2026, 1:23:08 AM
Last updated: 4/18/2026, 2:15:00 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.