CVE-2026-35490

Name of the Vulnerable Software and Affected Versions: changedetection.io versions prior to 0.54.8

Description: The @login optionally required decorator was incorrectly placed before @blueprint.route() on 13 routes across 5 blueprint files. This decorator order reversal bypasses authentication checks, allowing unauthenticated access to sensitive routes, including backup creation, listing, download, and removal. Successful exploitation can lead to complete data exfiltration, including monitored URLs, notification webhook URLs (potentially containing API tokens), and configuration data. Attackers could also upload malicious backups to inject configurations, perform Server-Side Request Forgery (SSRF), and potentially hijack browser sessions. The API endpoints affected include '/backups/request-backup', '/backups/', '/backups/download/', and '/backups/remove-backups'. The vulnerable parameter is the filename in the '/backups/download/' endpoint.

Recommendations: Update to version 0.54.8 or later. Ensure the @blueprint.route() decorator is the outermost decorator for all affected routes. For example: @blueprint.route('/backups/download/') @login optionally required def download backup(filename):