CVE-2025-58065: Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods
(updated )
When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider.
References
- github.com/advisories/GHSA-765j-9r45-w2q2
- github.com/dpgaspar/Flask-AppBuilder
- github.com/dpgaspar/Flask-AppBuilder/commit/a942a9cc5775752f9a02f97fd8198dd288fa93ee
- github.com/dpgaspar/Flask-AppBuilder/pull/2384
- github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.8.1
- github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-765j-9r45-w2q2
- nvd.nist.gov/vuln/detail/CVE-2025-58065
Code Behaviors & Features
Detect and mitigate CVE-2025-58065 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →