CVE-2025-58065: 
Python vulnerability analysis and mitigation

Flask-AppBuilder, an application development framework, was found to contain a security vulnerability (CVE-2025-58065) discovered in versions prior to 4.8.1. The vulnerability was disclosed on September 11, 2025, affecting installations configured to use OAuth, LDAP, or other non-database authentication methods (GitHub Advisory).

The vulnerability stems from the password reset endpoint remaining registered and accessible despite not being displayed in the user interface when using non-database authentication methods. This implementation flaw is classified as CWE-287 (Improper Authentication). The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility with low attack complexity (GitHub Advisory).

The vulnerability allows an enabled user to reset their password and create JWT tokens even after being disabled on the authentication provider. This could lead to unauthorized access and potential security bypass in affected systems (GitHub Advisory).

The primary mitigation is to upgrade to Flask-AppBuilder version 4.8.1 or later. If immediate upgrade is not possible, alternative workarounds include manually disabling password reset routes in the application configuration, implementing additional access controls at the web server or proxy level to block access to the reset password URL, and monitoring for suspicious password reset attempts from disabled accounts (GitHub Advisory).