Security Advisory

CVE-2026-40350

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-04-18 00:07:33
Last updated 2026-04-20 16:15:39
Assigner GitHub_M
State PUBLISHED

Description

Movary is a self hosted web app to track and rate a users watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue.