theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2026-35490

Published April 7, 2026 · Updated April 7, 2026

9.8CVSS
critical

What This Means

CVE-2026-35490 is a critical vulnerability in changedetection.io, a web page change detection tool, with a CVSS Score of 9.8. The flaw arises from incorrect decorator ordering in Flask that causes authentication to be bypassed on specific routes, potentially exposing sensitive data. Users should upgrade to version 0.54.8 or later to mitigate this risk.

Official Description+

changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8.

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. Monitor vendor advisories for updates and additional mitigations.
  4. Review logs for indicators of compromise related to CVE-2026-35490.