CVE-2026-35490
Received Received - Intake
Authentication Bypass in changedetection.io Due to Decorator Misorder

Publication date: 2026-04-07

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35490
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webtechnologies changedetection to 0.54.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated access to sensitive data including monitored URLs, webhook URLs (which may contain API tokens), application password hashes, and the Flask secret key. Such unauthorized data exposure can lead to data breaches, which negatively impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

Additionally, the ability to exfiltrate data, perform configuration injection, and hijack browser sessions increases the risk of unauthorized access and data compromise, further undermining compliance with security and privacy standards.

Executive Summary

CVE-2026-35490 is a critical authentication bypass vulnerability in the Python package changedetection.io (versions up to 0.54.7). It is caused by incorrect ordering of decorators in Flask route definitions. Specifically, the @login_optionally_required decorator is placed before (outer to) the @blueprint.route() decorator, which is incorrect because in Flask, @route() must be the outermost decorator to properly register the function.

When the decorators are reversed, Flask registers the original undecorated function, bypassing the authentication wrapper entirely and silently disabling authentication on these routes. This means that certain routes that should require authentication do not, allowing unauthenticated access.

For example, vulnerable routes allow unauthenticated users to trigger backup creation, list backups, download backup files containing sensitive data, and delete backups without authentication.

Impact Analysis

This vulnerability can have severe impacts including complete data exfiltration and unauthorized actions. Attackers can access sensitive information such as monitored URLs, webhook URLs containing API tokens, application password hashes, and the Flask secret key by downloading backup files without authentication.

Additionally, attackers can trigger backup creation, list backups, and delete all backups without authentication, leading to potential data loss or manipulation.

Further impacts include configuration injection through malicious backup restores, potential server-side request forgery (SSRF) via proxy check endpoints, and browser session hijacking through Playwright session control endpoints.

Detection Guidance

This vulnerability can be detected by testing the authentication enforcement on specific routes of the changedetection.io application. Vulnerable routes allow unauthenticated access to sensitive operations such as backup creation, listing, downloading, and deletion.

You can use HTTP request commands (e.g., curl) to check if these routes require authentication or not. For example, sending requests to the following endpoints and observing the HTTP response codes can help detect the vulnerability:

  • curl -I http://<target>/backups/request-backup (should redirect to login if protected)
  • curl -I http://<target>/backups/ (should require authentication, HTTP 200 without auth indicates vulnerability)
  • curl -I http://<target>/backups/download/<filename> (should require authentication, HTTP 200 without auth indicates vulnerability)
  • curl -I http://<target>/backups/remove-backups (should redirect to login if protected)

If these routes respond with HTTP 200 or redirect to a non-login page without authentication, it indicates the authentication bypass vulnerability is present.

Mitigation Strategies

The immediate mitigation step is to upgrade changedetection.io to version 0.54.8 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, review the source code of your changedetection.io installation and ensure that the Flask route decorators are correctly ordered: the @blueprint.route() decorator must be the outermost decorator, and the @login_optionally_required decorator must be applied inside it.

Specifically, change any vulnerable routes from this incorrect pattern:

  • @login_optionally_required @blueprint.route('/backups/download/<filename>')

to the correct pattern:

  • @blueprint.route('/backups/download/<filename>') @login_optionally_required

This ensures authentication wrappers are properly applied and prevents unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35490. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart