Cyber Resilience

CVE-2026-35490

CriticalPublic PoC

Published: 07 April 2026

Published
07 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0054 41.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-35490 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Webtechnologies Changedetection. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35490 affects changedetection.io, a free open source web page change detection tool, in versions prior to 0.54.8. The vulnerability arises from incorrect decorator ordering in its Flask-based implementation: the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator as it registers the function it receives; when reversed, @route() registers the original undecorated function, and the authentication wrapper is never invoked. This silently disables authentication on affected routes and is classified as CWE-863 (Incorrect Authorization), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any remote attacker can exploit this vulnerability over the network with low complexity, no privileges, and no user interaction required. By accessing the affected routes directly, attackers bypass authentication entirely, gaining unauthorized access to functionality that should be protected, which can result in high impacts to confidentiality, integrity, and availability depending on the routes' privileges.

The GitHub security advisory (GHSA-jmrh-xmgh-x9j4) states that the issue is fixed in changedetection.io version 0.54.8 by correcting the decorator order to ensure the authentication wrapper is properly included in the call chain. Security practitioners should upgrade to this version or later to mitigate the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function…

more

it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing web application (changedetection.io) due to Flask decorator misordering, allowing remote unauthenticated access to protected routes; this directly enables T1190 (Exploit Public-Facing Application) for initial unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29065Same product: Webtechnologies Changedetection
CVE-2026-43891Same product: Webtechnologies Changedetection
CVE-2026-29039Same product: Webtechnologies Changedetection
CVE-2026-27696Same product: Webtechnologies Changedetection
CVE-2026-32924Shared CWE-863
CVE-2026-23837Shared CWE-863
CVE-2020-36948Shared CWE-863
CVE-2026-29087Shared CWE-863
CVE-2026-30947Shared CWE-863
CVE-2024-13291Shared CWE-863

Affected Assets

webtechnologies
changedetection
≤ 0.54.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of software flaws like incorrect decorator ordering that silently disables authentication on affected routes.

prevent

Enforces approved authorizations for logical access, directly countering the authentication bypass caused by reversed decorator order in Flask routes.

prevent

Mandates secure configuration settings for web application components, including proper decorator ordering to ensure authentication wrappers are applied to routes.

References