VulnerableCode Package Details - pkg:pypi/flask-appbuilder@4.3.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-8zwq-xg8n-q7g9 Aliases: CVE-2025-32962 GHSA-99pm-ch96-ccp2	Flask-AppBuilder open redirect vulnerability using HTTP host injection Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests.	4.6.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-hg35-2qm4-b7h9 Aliases: CVE-2025-24023 GHSA-p8q5-cvwx-wvwp PYSEC-2025-15	Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.	4.5.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-nc2g-v8pn-nqcy Aliases: CVE-2024-25128 GHSA-j2pw-vp55-fqqj	Flask-AppBuilder vulnerable to incorrect authentication when using auth type OpenID ### Impact When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the old (deprecated 10 years ago) OpenID 2.0 authorization protocol (which is very different from the popular OIDC - Open ID Connect - popular protocol used today). Currently, this protocol is regarded as legacy, with significantly reduced usage and not supported for several years by major authorization providers. ### Patches Upgrade to Flask-AppBuilder 4.3.11 ### Workarounds If upgrade is not possible add the following to your config: ``` from flask import flash, redirect from flask_appbuilder import expose from flask_appbuilder.security.sqla.manager import SecurityManager from flask_appbuilder.security.views import AuthOIDView from flask_appbuilder.security.forms import LoginForm_oid basedir = os.path.abspath(os.path.dirname(__file__)) class FixedOIDView(AuthOIDView): @expose("/login/", methods=["GET", "POST"]) def login(self, flag=True): form = LoginForm_oid() if form.validate_on_submit(): identity_url = None for provider in self.appbuilder.sm.openid_providers: if provider.get("url") == form.openid.data: identity_url = form.openid.data if identity_url is None: flash(self.invalid_login_message, "warning") return redirect(self.appbuilder.get_url_for_login) return super().login(flag=flag) class FixedSecurityManager(SecurityManager): authoidview = FixedOIDView FAB_SECURITY_MANAGER_CLASS = "config.FixedSecurityManager" ```	4.3.11 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-swdd-djht-pbbh Aliases: CVE-2024-45314 GHSA-fw5r-6m3x-rh7p	Flask-AppBuilder's login form allows browser to cache sensitive fields Auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources.	4.5.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-t897-gphs-wugu Aliases: CVE-2025-58065 GHSA-765j-9r45-w2q2	Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider.	4.8.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-8zwq-xg8n-q7g9
Aliases:
CVE-2025-32962
GHSA-99pm-ch96-ccp2

Flask-AppBuilder open redirect vulnerability using HTTP host injection Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests.

4.6.2
Affected by 1 other vulnerability.

VCID-hg35-2qm4-b7h9
Aliases:
CVE-2025-24023
GHSA-p8q5-cvwx-wvwp
PYSEC-2025-15

Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.

4.5.3
Affected by 2 other vulnerabilities.

VCID-nc2g-v8pn-nqcy
Aliases:
CVE-2024-25128
GHSA-j2pw-vp55-fqqj

Flask-AppBuilder vulnerable to incorrect authentication when using auth type OpenID ### Impact When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the attacker and accessible by the backend. This vulnerability is only exploitable when the application is using the old (deprecated 10 years ago) OpenID 2.0 authorization protocol (which is very different from the popular OIDC - Open ID Connect - popular protocol used today). Currently, this protocol is regarded as legacy, with significantly reduced usage and not supported for several years by major authorization providers. ### Patches Upgrade to Flask-AppBuilder 4.3.11 ### Workarounds If upgrade is not possible add the following to your config: ``` from flask import flash, redirect from flask_appbuilder import expose from flask_appbuilder.security.sqla.manager import SecurityManager from flask_appbuilder.security.views import AuthOIDView from flask_appbuilder.security.forms import LoginForm_oid basedir = os.path.abspath(os.path.dirname(__file__)) class FixedOIDView(AuthOIDView): @expose("/login/", methods=["GET", "POST"]) def login(self, flag=True): form = LoginForm_oid() if form.validate_on_submit(): identity_url = None for provider in self.appbuilder.sm.openid_providers: if provider.get("url") == form.openid.data: identity_url = form.openid.data if identity_url is None: flash(self.invalid_login_message, "warning") return redirect(self.appbuilder.get_url_for_login) return super().login(flag=flag) class FixedSecurityManager(SecurityManager): authoidview = FixedOIDView FAB_SECURITY_MANAGER_CLASS = "config.FixedSecurityManager" ```

4.3.11
Affected by 4 other vulnerabilities.

VCID-swdd-djht-pbbh
Aliases:
CVE-2024-45314
GHSA-fw5r-6m3x-rh7p

Flask-AppBuilder's login form allows browser to cache sensitive fields Auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources.

4.5.1
Affected by 3 other vulnerabilities.

VCID-t897-gphs-wugu
Aliases:
CVE-2025-58065
GHSA-765j-9r45-w2q2

Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider.

4.8.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-k3kr-tvxd-73hx	Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.	CVE-2023-34110 GHSA-jhpr-j7cq-3jp3 PYSEC-2023-94

Vulnerability

Summary

Aliases

VCID-k3kr-tvxd-73hx

Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.

CVE-2023-34110
GHSA-jhpr-j7cq-3jp3
PYSEC-2023-94

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T06:06:06.011560+00:00	GitLab Importer	Affected by	VCID-t897-gphs-wugu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask-AppBuilder/CVE-2025-58065.yml	38.6.0
2026-06-06T05:49:59.547900+00:00	GitLab Importer	Affected by	VCID-8zwq-xg8n-q7g9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask-AppBuilder/CVE-2025-32962.yml	38.6.0
2026-06-06T05:41:21.980911+00:00	GitLab Importer	Affected by	VCID-hg35-2qm4-b7h9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask-AppBuilder/CVE-2025-24023.yml	38.6.0
2026-06-06T05:21:24.847602+00:00	GitLab Importer	Affected by	VCID-swdd-djht-pbbh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask-AppBuilder/CVE-2024-45314.yml	38.6.0
2026-06-06T04:42:23.602335+00:00	GitLab Importer	Affected by	VCID-nc2g-v8pn-nqcy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask-AppBuilder/CVE-2024-25128.yml	38.6.0
2026-06-05T17:04:27.338442+00:00	PyPI Importer	Affected by	VCID-hg35-2qm4-b7h9	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-05T17:02:45.967820+00:00	PyPI Importer	Fixing	VCID-k3kr-tvxd-73hx	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-04T17:20:29.572318+00:00	GithubOSV Importer	Fixing	VCID-k3kr-tvxd-73hx	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-jhpr-j7cq-3jp3/GHSA-jhpr-j7cq-3jp3.json	38.6.0
2026-06-02T04:45:10.397856+00:00	GitLab Importer	Fixing	VCID-k3kr-tvxd-73hx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask-AppBuilder/CVE-2023-34110.yml	38.6.0
2026-06-02T04:22:49.513335+00:00	Pypa Importer	Affected by	VCID-hg35-2qm4-b7h9	https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2025-15.yaml	38.6.0
2026-06-02T04:18:58.065707+00:00	Pypa Importer	Fixing	VCID-k3kr-tvxd-73hx	https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2023-94.yaml	38.6.0