CVE-2026-35490
published 2026-04-07CVE-2026-35490: changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to)…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.54%
41.1th percentile
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dgtlmoon | changedetection.io | < 0.54.8 | 0.54.8 |
| dgtlmoon | changedetection.io | >= 0 < 0.54.8 | 0.54.8 |
| webtechnologies | changedetection | < 0.54.8 | 0.54.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering
osv·2026-04-06
CVE-2026-35490 [CRITICAL] changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering
changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering
### Summary
On 13 routes across 5 blueprint files, the `@login_optionally_required` decorator is placed **before** (outer to) `@blueprint.route()` instead of after it. In Flask, `@route()` must be the outermost decorator because it registers the function it receives. When the order is reversed, `@route()` registers the **original undecorated function**, and the auth wrapper is never in the call chain. This silently disables authentication on these routes.
The developer correctly uses the decorator on 30+ other routes with the proper order, making this a classic consistency gap.
### Details
**Correct order (used on 30+ routes):**
```python
@blueprint.route('/settings', methods=['GET'])
@login_optionally_requi
GHSA
changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering
ghsa·2026-04-06
CVE-2026-35490 [CRITICAL] CWE-863 changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering
changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering
### Summary
On 13 routes across 5 blueprint files, the `@login_optionally_required` decorator is placed **before** (outer to) `@blueprint.route()` instead of after it. In Flask, `@route()` must be the outermost decorator because it registers the function it receives. When the order is reversed, `@route()` registers the **original undecorated function**, and the auth wrapper is never in the call chain. This silently disables authentication on these routes.
The developer correctly uses the decorator on 30+ other routes with the proper order, making this a classic consistency gap.
### Details
**Correct order (used on 30+ routes):**
```python
@blueprint.route('/settings', methods=['GET'])
@login_optionally_requi
No detection rules found.
No public exploits indexed.
2026-04-07
Published