CVE-2025-58065

Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually disable password reset routes in the application configuration; implement additional access controls at the web server or proxy level to block access to the reset my password URL; and/or monitor for suspicious password reset attempts from disabled accounts.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/dpgaspar/Flask-AppBuilder/commit/a942a9cc5775752f9a02f97fd8198dd288fa93ee
https://github.com/dpgaspar/Flask-AppBuilder/pull/2384
https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.8.1
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-765j-9r45-w2q2

Configurations

No configuration.

History

11 Sep 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-09-11 18:15

Updated : 2025-09-11 18:15

NVD link : CVE-2025-58065

Mitre link : CVE-2025-58065

CVE.ORG link : CVE-2025-58065

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

6.5 /10