changedetection.io Auth Bypass (CVE-2026-35490)

Overview

A critical security flaw in the open-source web monitoring tool changedetection.io allows attackers to bypass authentication entirely. The vulnerability, tracked as CVE-2026-35490, stems from an incorrect decorator order in the Flask application code, which silently removes login protection from affected routes.

Vulnerability Details

In Flask, the @route() decorator must be the outermost decorator to properly register a view function. In changedetection.io versions prior to 0.54.8, the @login_optionally_required authentication wrapper was incorrectly placed outside the @blueprint.route() decorator on certain endpoints. This caused the @route() decorator to register the original, undecorated function, completely omitting the authentication check from the request handling chain. The flaw does not produce error messages, making it a silent failure that disables security without warning.

Impact

With a CVSS v3.1 score of 9.8 (CRITICAL), this vulnerability has severe implications. Attackers can remotely access application routes and functionality that should require authentication, without needing any privileges or user interaction. Depending on the deployment, this could lead to unauthorized viewing of sensitive change detection data, modification of monitoring targets, or control of the application instance. The network attack vector and low attack complexity make large-scale exploitation straightforward.

Remediation and Mitigation

The primary and only complete remediation is to upgrade changedetection.io to version 0.54.8 or later, where the decorator order has been corrected.

• Immediate Action: Users and administrators should update their installations to version 0.54.8 immediately.
• Verification: If immediate upgrade is not possible, review your deployment to assess if sensitive administrative or user routes are exposed to the public internet. Consider placing the application behind a network-level access control list (ACL) or a reverse proxy with additional authentication as a temporary containment measure until the patch is applied. However, these are not substitutes for applying the official fix.

For organizations tracking widespread exploitation trends, recent data breach reports are available at breach reports.

Security Insight

This vulnerability is a stark example of a “silent security failure” in software design, where a logical bug completely disables a security control without any logs or alerts. It mirrors past incidents in other web frameworks where decorator/middleware order led to unexpected access. It underscores the critical need for positive security testing in CI/CD pipelines-specifically testing that authentication walls remain intact after code changes-rather than relying solely on the absence of error messages.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs