CVE-2025-58065

Name of the Vulnerable Software and Affected Versions: Flask-AppBuilder versions prior to 4.8.1

Description: Flask-AppBuilder is an application development framework. When configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains accessible even after a user is disabled on the authentication provider. This allows an enabled user to reset their password and create JWT tokens after being disabled on the authentication provider.

Recommendations: Upgrade to Flask-AppBuilder version 4.8.1 or later. If immediate upgrade is not possible, manually disable password reset routes in the application configuration. Implement additional access controls at the web server or proxy level to block access to the password reset URL. Monitor for suspicious password reset attempts from disabled accounts.