CVE-2026-35490
Published: 07 April 2026
Summary
CVE-2026-35490 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Webtechnologies Changedetection. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of software flaws like incorrect decorator ordering that silently disables authentication on affected routes.
Enforces approved authorizations for logical access, directly countering the authentication bypass caused by reversed decorator order in Flask routes.
Mandates secure configuration settings for web application components, including proper decorator ordering to ensure authentication wrappers are applied to routes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authentication bypass in a public-facing web application (changedetection.io) due to Flask decorator misordering, allowing remote unauthenticated access to protected routes; this directly enables T1190 (Exploit Public-Facing Application) for initial unauthorized access.
NVD Description
changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function…
more
it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.
Deeper analysisAI
CVE-2026-35490 affects changedetection.io, a free open source web page change detection tool, in versions prior to 0.54.8. The vulnerability arises from incorrect decorator ordering in its Flask-based implementation: the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator as it registers the function it receives; when reversed, @route() registers the original undecorated function, and the authentication wrapper is never invoked. This silently disables authentication on affected routes and is classified as CWE-863 (Incorrect Authorization), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Any remote attacker can exploit this vulnerability over the network with low complexity, no privileges, and no user interaction required. By accessing the affected routes directly, attackers bypass authentication entirely, gaining unauthorized access to functionality that should be protected, which can result in high impacts to confidentiality, integrity, and availability depending on the routes' privileges.
The GitHub security advisory (GHSA-jmrh-xmgh-x9j4) states that the issue is fixed in changedetection.io version 0.54.8 by correcting the decorator order to ensure the authentication wrapper is properly included in the call chain. Security practitioners should upgrade to this version or later to mitigate the vulnerability.
Details
- CWE(s)