CVE-2025-58065 — Improper Authentication in Flask-appbuilder

CWE-287 — Improper Authentication4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 89.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dpgaspar Flask-appbuilder

Timeline

PublishedSep 11

Description

Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5dpgaspar/flask-appbuilder< 4.8.1

▶NVDdpgaspar/flask-appbuilder< 4.8.1

▶PyPIdpgaspar/flask-appbuilder< 4.8.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods↗2025-09-11

▶

CVEList

Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods↗2025-09-11

▶

OSV

Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods↗2025-09-11

▶