PT-2026-33541 · Movary · Movary
Kitu232
·
Published
2026-04-18
·
Updated
2026-04-18
·
CVE-2026-40349
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Movary versions prior to 0.71.1
Description
An authenticated user can escalate their account privileges to administrator. This occurs because the endpoint '/settings/users/{userId}' allows the update of the
isAdmin variable without performing an administrator authorization check, enabling users to modify their own profile settings to gain administrative access.Recommendations
Update to version 0.71.1.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Movary