Flask-AppBuilder Password Reset Endpoint Vulnerability in Non-Database Authentication

A vulnerability exists in Flask-AppBuilder versions prior to 4.8.1, allowing users to reset passwords through an endpoint that, while not visible in the user interface, remains active when OAuth, LDAP, or other non-database authentication methods are used. This issue enables users to generate JWT tokens even after being disabled on the authentication provider.

Impact

Exploitation of this vulnerability allows for password resets and the creation of JWT tokens, bypassing user disablement on the authentication provider.

Reproduction

To reproduce this vulnerability, configure Flask-AppBuilder to use OAuth, LDAP, or another non-database authentication method. Then, access the password reset endpoint, which will be available despite the user being disabled on the authentication provider.

Remediation

Users should upgrade to Flask-AppBuilder version 4.8.1 or later. If an immediate upgrade is not possible, password reset routes can be manually disabled in the application configuration, additional access controls can be implemented at the web server or proxy level to block access to the password reset URL, and monitoring can be established for suspicious password reset requests from disabled accounts.