CVE-2026-35490 — AI Deep Analysis Summary

🚨 **Essence**: A critical auth bypass in `changedetection.io`. The `@login_optionally_required` decorator is placed **outside** `@blueprint.route()`.…

🛡️ **CWE-863**: Incorrect Authorization. 🐛 **Flaw**: Decorator ordering error. The login check decorator must be **inside** the route decorator. Placing it outside causes the framework to ignore the auth requirement. 📝

👥 **Vendor**: dgtlmoon. 📦 **Product**: changedetection.io. 📅 **Affected**: Versions **< 0.54.8**. If you are running an older version, you are exposed! ⚠️

💻 **Hackers Can**: Bypass login entirely. 📊 **Impact**: Full access to monitored data, settings, and notifications.…

🔓 **Threshold**: **LOW**. 🚫 **Auth Required**: No. 🌐 **Network**: Remote. The vulnerability allows access without any credentials. It is an **Unauthenticated** attack vector. 🎯

🚫 **Public Exploit**: No PoC listed in data. 📰 **Status**: Advisory published (GHSA-jmrh-xmgh-x9j4). While no code is public, the logic flaw is clear. Exploitation is theoretically trivial for skilled attackers. 🧠

🔍 **Self-Check**: 1. Check your version number. 📉 2. If < 0.54.8, you are vulnerable. 🛠️ 3. Verify if `@login_optionally_required` is outside `@blueprint.route()` in custom code (if applicable). 📂

✅ **Fixed**: Yes. 📦 **Patch**: Update to version **0.54.8** or later. 🔄 **Action**: Immediate upgrade is the official mitigation. Check GitHub advisories for details. 📢

🚧 **No Patch?**: Isolate the instance. 🚫 **Network**: Block external access to the app. 🛡️ **WAF**: Use a Web Application Firewall to block unauthenticated access to sensitive endpoints. 🧱

🔥 **Urgency**: **CRITICAL**. 🚨 **Priority**: Patch Immediately. CVSS Score is High (AV:N/AC:L/PR:N). Unauthenticated access to a monitoring tool is a severe risk. Do not delay! ⏳