Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods
Description
Flask-AppBuilder is an application development framework. Prior to version 4.8.1, when Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. Users should upgrade to Flask-AppBuilder version 4.8.1 or later to receive a fix. If immediate upgrade is not possible, manually disable password reset routes in the application configuration; implement additional access controls at the web server or proxy level to block access to the reset my password URL; and/or monitor for suspicious password reset attempts from disabled accounts.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flask-appbuilderPyPI | < 4.8.1 | 4.8.1 |
Affected products
1- Range: < 4.8.1
Patches
1a942a9cc5775fix: don't register reset my password when not on AUTH_DB (#2384)
2 files changed · +22 −2
flask_appbuilder/security/manager.py+2 −2 modified@@ -813,13 +813,13 @@ def register_views(self): if self.registeruser_view: self.appbuilder.add_view_no_menu(self.registeruser_view) - self.appbuilder.add_view_no_menu(self.resetpasswordview()) - self.appbuilder.add_view_no_menu(self.resetmypasswordview()) self.appbuilder.add_view_no_menu(self.userinfoeditview()) if self.auth_type == AUTH_DB: self.user_view = self.userdbmodelview self.auth_view = self.authdbview() + self.appbuilder.add_view_no_menu(self.resetpasswordview()) + self.appbuilder.add_view_no_menu(self.resetmypasswordview()) elif self.auth_type == AUTH_LDAP: self.user_view = self.userldapmodelview
tests/security/test_auth_oauth.py+20 −0 modified@@ -695,6 +695,26 @@ def test_oauth_user_info_auth0(self): }, ) + def test_reset_password_view_not_registered_with_oauth(self): + """ + OAUTH: test that ResetMyPasswordView is not registered when using OAuth + authentication + """ + self.appbuilder = AppBuilder(self.app, self.db.session) + + for view in self.appbuilder.baseviews: + if view.__class__.__name__ == "ResetMyPasswordView": + self.fail( + "ResetMyPasswordView should not be registered when using OAuth " + "authentication" + ) + + # Also verify that the view is not accessible via URL + with self.app.test_client() as client: + response = client.get("/resetmypassword/form") + # Should return 404 since the view is not registered + self.assertEqual(response.status_code, 404) + class OAuthAuthentikTestCase(unittest.TestCase): def setUp(self):
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-765j-9r45-w2q2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-58065ghsaADVISORY
- github.com/dpgaspar/Flask-AppBuilder/commit/a942a9cc5775752f9a02f97fd8198dd288fa93eeghsax_refsource_MISCWEB
- github.com/dpgaspar/Flask-AppBuilder/pull/2384ghsax_refsource_MISCWEB
- github.com/dpgaspar/Flask-AppBuilder/releases/tag/v4.8.1ghsax_refsource_MISCWEB
- github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-765j-9r45-w2q2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.