CVE-2026-35490: changedetection.io Auth Bypass Flaw

CVE-2026-35490 Overview

CVE-2026-35490 is an Authentication Bypass vulnerability in changedetection.io, a free open source web page change detection tool. Prior to version 0.54.8, the @login_optionally_required decorator is incorrectly placed before (outer to) the @blueprint.route() decorator instead of after it. This decorator ordering issue causes Flask to register the original undecorated function, completely bypassing the authentication wrapper and silently disabling authentication on affected routes.

Critical Impact

Unauthenticated attackers can access protected routes that should require authentication, potentially exposing sensitive change detection data, configurations, and allowing unauthorized modifications to monitored pages.

Affected Products

• changedetection.io versions prior to 0.54.8

Discovery Timeline

• 2026-04-07 - CVE CVE-2026-35490 published to NVD
• 2026-04-09 - Last updated in NVD database

Technical Details for CVE-2026-35490

Vulnerability Analysis

This vulnerability stems from a fundamental misunderstanding of Flask's decorator execution order. In Flask applications, the @route() decorator must always be the outermost decorator because it registers the function it receives with the application's URL routing system. When the @login_optionally_required decorator is placed outside of @blueprint.route(), the route decorator registers the raw, unprotected function directly with Flask's routing table, while the authentication wrapper is never included in the actual call chain.

The vulnerability is classified under CWE-863 (Incorrect Authorization), as the application fails to properly enforce authorization checks on protected endpoints. This allows unauthenticated users to access routes that were intended to require authentication, effectively granting them unauthorized access to sensitive functionality.

Root Cause

The root cause is improper decorator ordering in the Flask application code. Python decorators are applied from bottom to top (innermost to outermost), meaning the decorator closest to the function definition is applied first. When @login_optionally_required is placed above @blueprint.route(), Flask's routing mechanism receives and registers the original function before the authentication wrapper can be applied. This results in the authentication logic being completely bypassed for all affected routes.

Attack Vector

The attack vector is network-based, requiring no authentication, no user interaction, and involving low complexity. An attacker can exploit this vulnerability by simply accessing the affected routes directly without providing any authentication credentials. Since the authentication wrapper is never executed, the application treats all requests to these routes as if they were properly authenticated.

Exploitation is straightforward: an attacker identifies the protected endpoints in the changedetection.io application and sends HTTP requests directly to them. The server processes these requests without any authentication challenge, providing full access to the intended functionality.

For technical details on the specific affected routes and decorator patterns, see the GitHub Security Advisory.

Detection Methods for CVE-2026-35490

Indicators of Compromise

• Unexpected access to changedetection.io administrative or protected routes from unauthenticated sessions
• Web server logs showing successful responses (HTTP 200) to protected endpoints without associated authentication events
• Unusual modifications to monitored page configurations without corresponding authenticated user activity
• Access patterns showing direct requests to protected API endpoints bypassing normal authentication flow

Detection Strategies

• Review web server access logs for requests to protected changedetection.io routes that lack authentication headers or session tokens
• Implement network monitoring to detect anomalous access patterns to the changedetection.io application
• Audit Flask application decorator ordering in deployed code to identify the vulnerable pattern
• Compare installed changedetection.io version against the fixed version 0.54.8

Monitoring Recommendations

• Enable detailed access logging for all changedetection.io routes to track authentication status per request
• Set up alerts for access to administrative endpoints from unexpected IP addresses or without valid sessions
• Monitor for bulk or automated access patterns that may indicate reconnaissance or exploitation attempts
• Implement application-level logging to capture authentication bypass attempts

How to Mitigate CVE-2026-35490

Immediate Actions Required

• Upgrade changedetection.io to version 0.54.8 or later immediately
• Review access logs to identify any potential unauthorized access that may have occurred before patching
• If upgrade is not immediately possible, restrict network access to the changedetection.io application to trusted IP addresses only
• Audit any configuration changes or monitored page modifications for signs of tampering

Patch Information

The vulnerability has been fixed in changedetection.io version 0.54.8. The fix corrects the decorator ordering to ensure @blueprint.route() is the outermost decorator, allowing the @login_optionally_required authentication wrapper to be properly included in the request handling chain.

Users should upgrade to the latest version available. For detailed information about the fix, refer to the GitHub Security Advisory.

Workarounds

• Place the changedetection.io instance behind a reverse proxy with authentication requirements
• Implement network-level access controls (firewall rules, VPN requirements) to restrict access to trusted users only
• Use HTTP Basic Authentication at the web server level as an additional authentication layer
• Temporarily disable public network access to the application until the patch can be applied

# Example: Restricting access via iptables to trusted IP only
iptables -A INPUT -p tcp --dport 5000 -s TRUSTED_IP_ADDRESS -j ACCEPT
iptables -A INPUT -p tcp --dport 5000 -j DROP