Description
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.
Published: 2026-04-07
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

The flaw arises from incorrect ordering of Flask decorators, causing the authentication wrapper to be omitted from the route handlers. As a result, any request to protected endpoints is served without validating credentials, giving attackers unrestricted access. This vulnerability aligns with CWE-863, representing authentication bypass issues.

Affected Systems

The affected product is changedetection.io from dgtlmoon, versions prior to 0.54.8. Users running these earlier releases are susceptible if the web interface exposes routes that should require login.

Risk and Exploitability

With a CVSS score of 9.8, the vulnerability is considered critical. The EPSS score is unavailable but the lack of a KEV listing does not mitigate the high potential for exploitation. An attacker can exploit this remotely by sending unauthenticated HTTP requests to the affected endpoints, gaining full control over the application's functionality without needing valid credentials.

Generated by OpenCVE AI on April 7, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update changedetection.io to version 0.54.8 or later where the decorator order has been corrected.

Generated by OpenCVE AI on April 7, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jmrh-xmgh-x9j4 changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering
History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Dgtlmoon
Dgtlmoon changedetection.io
Vendors & Products Dgtlmoon
Dgtlmoon changedetection.io

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.
Title changedetection.io has an Authentication Bypass via Decorator Ordering
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dgtlmoon Changedetection.io
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T14:55:24.120Z

Reserved: 2026-04-02T20:49:44.454Z

Link: CVE-2026-35490

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T16:16:27.317

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-35490

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:48:34Z

Weaknesses