CVE-2026-35490
changedetection.io has an Authentication Bypass via Decorator Ordering
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
4th
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.
| CWE | CWE-863 |
| Vendor | dgtlmoon |
| Product | changedetection.io |
| Published | Apr 7, 2026 |
| Last Updated | Apr 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for dgtlmoon changedetection.io
Be the first to know when new critical vulnerabilities affecting dgtlmoon changedetection.io are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
dgtlmoon / changedetection.io
< 0.54.8