A flaw in changedetection.io occurs when the login decorator is incorrectly ordered relative to the route registration. Because the authentication wrapper is placed inside the route decorator, Flask registers the original view without any authentication checks. The result is that protected routes can be accessed without credentials, allowing an attacker to obtain the full functionality of the application and any data it exposes. Based on the description, the likely attack vector is an unauthenticated HTTP request to a URL that should be protected. The vulnerability is limited to deployments that use a version older than 0.54.8; all earlier releases contain the decorator ordering bug. The CVSS score of 9.8 represents critical severity, while the EPSS score of less than 1% suggests that automated exploitation is unlikely at present. The vulnerability has not yet appeared in CISA’s KEV catalog. An attacker who discovers the fault can simply send a request to a previously protected endpoint and gain immediate access without providing any authentication. The most effective defense is to upgrade to 0.54.8 or later.

Affected systems include installations of changedetection.io version 0.54.7 and earlier, which are maintained by dgtlmoon. These versions precede the fix introduced in 0.54.8. The vulnerability is not present in newer releases.

The CVSS score of 9.8 indicates critical severity. The EPSS score of less than 1% indicates low probability of automated exploitation at present. The vulnerability is not listed in KEV. Because the bypass removes authentication, a simple unauthenticated HTTP request to protected endpoint can trigger the exploitation. Attackers may gain full application access and data. The attack vector is likely remote via web request.