CVE-2025-58065

Impact

When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider.

Patches

Upgrade to Flask-AppBuilder version 4.8.1 or later

Workarounds

If immediate upgrade is not possible:

Manually disable password reset routes in the application configuration
Implement additional access controls at the web server or proxy level to block access to the reset my password URL.
Monitor for suspicious password reset attempts from disabled accounts

Published: Sep 11, 2025
Updated: Sep 12, 2025
CVE: CVE-2025-58065
GHSA: GHSA-765j-9r45-w2q2
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
Flask-AppBuilder	-	4.8.1

Vulnerability Database

CVE-2025-58065

Impact

Patches

Workarounds