A critical authentication bypass in changedetection.io allows unauthenticated attackers to access restricted application routes.

The application incorrectly orders Flask decorators, resulting in the auth wrapper being omitted from the call chain. This vulnerability effectively disables authentication for affected routes, allowing unauthenticated remote access.

The bypass of authentication controls poses a severe risk to data confidentiality and integrity. Given the CVSS score of 9.8, this flaw could allow unauthorized actors to manipulate or view sensitive web monitoring data, potentially leading to total system compromise.

Immediate Action: Upgrade changedetection.io to version 0.54.8 or later immediately.

Proactive Monitoring: Review web server access logs for anomalous traffic patterns targeting administrative or restricted URI endpoints.

Compensating Controls: Implement IP-based access restrictions or place the application behind an authentication-enabled reverse proxy until the patch is applied.

Public Exploit Available: No

The severity of this vulnerability necessitates immediate action. Administrators must update the changedetection.io instance to version 0.54.8 to restore proper authentication enforcement and mitigate the risk of unauthorized access.