Description

Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually disable password reset routes in the application configuration; implement additional access controls at the web server or proxy level to block access to the reset my password URL; and/or monitor for suspicious password reset attempts from disabled accounts.

INFO

Published Date :

2025-09-11T17:55:48.520Z

Last Modified :

2025-09-11T19:22:16.705Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-58065 vulnerability.

Vendors Products
Dpgaspar
  • Flask-appbuilder
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-58065.

URL Resource
https://github.com/dpgaspar/Flask-AppBuilder/commit/a942a9cc5775752f9a02f97fd8198dd288fa93ee cve-icon cve-icon
https://github.com/dpgaspar/Flask-AppBuilder/pull/2384 cve-icon cve-icon
https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.8.1 cve-icon cve-icon
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-765j-9r45-w2q2 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact