CVE-2026-40350

Name of the Vulnerable Software and Affected Versions Movary versions prior to 0.71.1

Description An authenticated user can access user-management endpoints, specifically '/settings/users', to enumerate all users and create a new administrator account. This occurs because route definitions lack admin-only middleware and the controller-level authorization check employs a broken boolean condition, allowing any user with a valid web session cookie to access restricted administrative functionality.

Recommendations Update to version 0.71.1.