CVE-2026-35490

CRITICAL

changedetection.io has an Authentication Bypass via Decorator Ordering

Title source: cna

Description

changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.

References (1)

[X_Refsource_Confirm] https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-jmrh-xmgh-x9j4

Scores

CVSS v3 9.8

EPSS 0.0003

EPSS Percentile 7.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-863

Status published

Products (3)

dgtlmoon/changedetection.io < 0.54.8

pypi/changedetection.io 0 - 0.54.8PyPI

webtechnologies/changedetection < 0.54.8

Published Apr 07, 2026

Tracked Since Apr 07, 2026