CVE-2026-35490
Authentication Bypass in changedetection.io Due to Decorator Misorder
Publication date: 2026-04-07
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webtechnologies | changedetection | to 0.54.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35490 is a critical authentication bypass vulnerability in the Python package changedetection.io (versions up to 0.54.7). It is caused by incorrect ordering of decorators in Flask route definitions. Specifically, the @login_optionally_required decorator is placed before (outer to) the @blueprint.route() decorator, which is incorrect because in Flask, @route() must be the outermost decorator to properly register the function.
When the decorators are reversed, Flask registers the original undecorated function, bypassing the authentication wrapper entirely and silently disabling authentication on these routes. This means that certain routes that should require authentication do not, allowing unauthenticated access.
For example, vulnerable routes allow unauthenticated users to trigger backup creation, list backups, download backup files containing sensitive data, and delete backups without authentication.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete data exfiltration and unauthorized actions. Attackers can access sensitive information such as monitored URLs, webhook URLs containing API tokens, application password hashes, and the Flask secret key by downloading backup files without authentication.
Additionally, attackers can trigger backup creation, list backups, and delete all backups without authentication, leading to potential data loss or manipulation.
Further impacts include configuration injection through malicious backup restores, potential server-side request forgery (SSRF) via proxy check endpoints, and browser session hijacking through Playwright session control endpoints.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the authentication enforcement on specific routes of the changedetection.io application. Vulnerable routes allow unauthenticated access to sensitive operations such as backup creation, listing, downloading, and deletion.
You can use HTTP request commands (e.g., curl) to check if these routes require authentication or not. For example, sending requests to the following endpoints and observing the HTTP response codes can help detect the vulnerability:
- curl -I http://<target>/backups/request-backup (should redirect to login if protected)
- curl -I http://<target>/backups/ (should require authentication, HTTP 200 without auth indicates vulnerability)
- curl -I http://<target>/backups/download/<filename> (should require authentication, HTTP 200 without auth indicates vulnerability)
- curl -I http://<target>/backups/remove-backups (should redirect to login if protected)
If these routes respond with HTTP 200 or redirect to a non-login page without authentication, it indicates the authentication bypass vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade changedetection.io to version 0.54.8 or later, where the vulnerability is fixed.
If upgrading is not immediately possible, review the source code of your changedetection.io installation and ensure that the Flask route decorators are correctly ordered: the @blueprint.route() decorator must be the outermost decorator, and the @login_optionally_required decorator must be applied inside it.
Specifically, change any vulnerable routes from this incorrect pattern:
- @login_optionally_required @blueprint.route('/backups/download/<filename>')
to the correct pattern:
- @blueprint.route('/backups/download/<filename>') @login_optionally_required
This ensures authentication wrappers are properly applied and prevents unauthorized access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated access to sensitive data including monitored URLs, webhook URLs (which may contain API tokens), application password hashes, and the Flask secret key. Such unauthorized data exposure can lead to data breaches, which negatively impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.
Additionally, the ability to exfiltrate data, perform configuration injection, and hijack browser sessions increases the risk of unauthorized access and data compromise, further undermining compliance with security and privacy standards.