CVE-2026-35490: CWE-863: Incorrect Authorization in dgtlmoon changedetection.io
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.
AI Analysis
Technical Summary
In changedetection.io before version 0.54.8, the authentication decorator (@login_optionally_required) was applied incorrectly outside the Flask route decorator (@blueprint.route()). Flask requires @route() to be the outermost decorator to properly register the wrapped function. Because the decorators were reversed, the route registered the original function without the authentication wrapper, effectively bypassing authorization checks on those routes. This is classified as CWE-863: Incorrect Authorization. The vulnerability is resolved in version 0.54.8 by correcting the decorator order.
Potential Impact
This vulnerability allows unauthenticated users to access routes that should require authentication, potentially leading to unauthorized access to sensitive functionality or data. The CVSS 3.1 score of 9.8 indicates critical impact with high confidentiality, integrity, and availability consequences. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade changedetection.io to version 0.54.8 or later, where the decorator order is corrected and authentication is properly enforced. Since this is an open source product and not a cloud service, manual patching by updating to the fixed version is required. Patch status is not explicitly stated in vendor advisories, but the fix is included in version 0.54.8 as per the description.
CVE-2026-35490: CWE-863: Incorrect Authorization in dgtlmoon changedetection.io
Description
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.
CVSS v3.1
Score 9.8critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In changedetection.io before version 0.54.8, the authentication decorator (@login_optionally_required) was applied incorrectly outside the Flask route decorator (@blueprint.route()). Flask requires @route() to be the outermost decorator to properly register the wrapped function. Because the decorators were reversed, the route registered the original function without the authentication wrapper, effectively bypassing authorization checks on those routes. This is classified as CWE-863: Incorrect Authorization. The vulnerability is resolved in version 0.54.8 by correcting the decorator order.
Potential Impact
This vulnerability allows unauthenticated users to access routes that should require authentication, potentially leading to unauthorized access to sensitive functionality or data. The CVSS 3.1 score of 9.8 indicates critical impact with high confidentiality, integrity, and availability consequences. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade changedetection.io to version 0.54.8 or later, where the decorator order is corrected and authentication is properly enforced. Since this is an open source product and not a cloud service, manual patching by updating to the fixed version is required. Patch status is not explicitly stated in vendor advisories, but the fix is included in version 0.54.8 as per the description.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-02T20:49:44.454Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d52344aaed68159a2ec610
Added to database: 4/7/2026, 3:31:16 PM
Last enriched: 4/15/2026, 12:30:59 PM
Last updated: 6/9/2026, 3:04:52 PM
Views: 65
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.