PT-2026-53431 · Pypi · Flask-Appbuilder

Published

2026-06-29

·

Updated

2026-06-29

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Impact

When Flask-AppBuilder is set to AUTH TYPE AUTH OID, allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend.
This vulnerability is only exploitable when the application is using the old (deprecated 10 years ago) OpenID 2.0 authorization protocol (which is very different from the popular OIDC - Open ID Connect - popular protocol used today). Currently, this protocol is regarded as legacy, with significantly reduced usage and not supported for several years by major authorization providers.

Patches

Upgrade to Flask-AppBuilder 4.3.11

Workarounds

If upgrade is not possible add the following to your config:
from flask import flash, redirect
from flask appbuilder import expose
from flask appbuilder.security.sqla.manager import SecurityManager
from flask appbuilder.security.views import AuthOIDView
 from flask appbuilder.security.forms import LoginForm oid

basedir = os.path.abspath(os.path.dirname( file ))
 

class FixedOIDView(AuthOIDView):
  @expose("/login/", methods=["GET" , "POST"])
  def login(self, flag=True):
    form = LoginForm oid()
    if form.validate on submit():
      identity url = None
      for provider in self.appbuilder.sm.openid providers:
        if provider.get("url") == form.openid.data:
          identity url = form.openid.data
      if identity url is None:
        flash(self.invalid login message, "warning")
        return redirect(self.appbuilder.get url for login)
    return super().login(flag=flag)

class FixedSecurityManager(SecurityManager):
  authoidview = FixedOIDView


FAB SECURITY MANAGER CLASS = "config.FixedSecurityManager"

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-340

Affected Products

Flask-Appbuilder