Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-7kd2-6yuh-9fe4
Vulnerability ID VCID-7kd2-6yuh-9fe4
Aliases CVE-2022-21659
GHSA-wfjw-w6pv-8p7f
PYSEC-2022-24
Summary Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-203 Observable Discrepancy
CWE-204 Observable Response Discrepancy
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/dpgaspar/Flask-AppBuilder
https://github.com/dpgaspar/Flask-AppBuilder/commit/e2b744c258ff62ece9d5ac7172c3b4644ff4c2fe
https://github.com/dpgaspar/Flask-AppBuilder/commits/v3.4.4
https://github.com/dpgaspar/Flask-AppBuilder/pull/1775
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-wfjw-w6pv-8p7f
https://github.com/pypa/advisory-database/tree/main/vulns/flask-appbuilder/PYSEC-2022-24.yaml
CVE-2022-21659 https://nvd.nist.gov/vuln/detail/CVE-2022-21659
GHSA-wfjw-w6pv-8p7f https://github.com/advisories/GHSA-wfjw-w6pv-8p7f
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:16:21.973688+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2022-24.yaml 38.6.0