CVE-2021-41265 – CVE-2021-41265 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-41265?

CVE-2021-41265 has a CVSS score of 8.1 (HIGH). CVE-2021-41265 is an authentication bypass vulnerability in Flask-AppBuilder's REST API that allows attackers to craft malicious requests to gain unauthorized access to protected endpoints. This affects systems using non-database authentication methods and new REST API endpoints. Organizations using Flask-AppBuilder for web applications with REST APIs are at risk.

📋 TL;DR

CVE-2021-41265 is an authentication bypass vulnerability in Flask-AppBuilder's REST API that allows attackers to craft malicious requests to gain unauthorized access to protected endpoints. This affects systems using non-database authentication methods and new REST API endpoints. Organizations using Flask-AppBuilder for web applications with REST APIs are at risk.

💻 Affected Systems

Products:

Flask-AppBuilder

Versions: All versions prior to 3.3.4

Operating Systems: All operating systems running Flask-AppBuilder

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects non-database authentication types (like OAuth, LDAP, OpenID) and new REST API endpoints created via Flask-AppBuilder's REST API functionality.

📦 What is this software?

Flask Appbuilder by Dpgaspar

View all CVEs affecting Flask Appbuilder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of protected REST API endpoints leading to data theft, unauthorized modifications, or privilege escalation depending on endpoint functionality.

🟠

Likely Case

Unauthorized access to sensitive data through REST API endpoints, potentially exposing user information or application data.

🟢

If Mitigated

Limited impact if proper network segmentation, API rate limiting, and additional authentication layers are in place.

🌐 Internet-Facing: HIGH - Internet-facing Flask-AppBuilder applications with REST APIs are directly exploitable without authentication.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but require network access; risk depends on internal network security controls.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires crafting specific HTTP requests but doesn't require authentication; exploit details are publicly available in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.4

Vendor Advisory: https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-m3rf-7m4w-r66q

Restart Required: Yes

Instructions:

1. Update Flask-AppBuilder using pip: 'pip install Flask-AppBuilder==3.3.4' or 'pip install --upgrade Flask-AppBuilder'. 2. Restart your Flask application. 3. Verify the update with 'pip show Flask-AppBuilder'.

🔧 Temporary Workarounds

Disable vulnerable REST API endpoints

all

Temporarily disable or restrict access to Flask-AppBuilder REST API endpoints until patching is complete.

Modify Flask application configuration to disable REST API or implement additional authentication middleware

Implement Web Application Firewall (WAF) rules

all

Deploy WAF rules to block malicious requests targeting Flask-AppBuilder REST API endpoints.

Configure WAF to inspect and block requests with suspicious authentication patterns to /api/* endpoints

🧯 If You Can't Patch

Implement network-level access controls to restrict access to Flask-AppBuilder REST API endpoints
Deploy additional authentication layer (API gateway, reverse proxy with auth) in front of vulnerable endpoints

🔍 How to Verify

Check if Vulnerable:

Check Flask-AppBuilder version and authentication configuration. Vulnerable if version < 3.3.4 and using non-database authentication with REST API endpoints.

Check Version:

pip show Flask-AppBuilder | grep Version

Verify Fix Applied:

Verify Flask-AppBuilder version is 3.3.4 or higher and test REST API authentication functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns in REST API logs
Failed authentication attempts followed by successful access to protected endpoints
Requests to /api/* endpoints with crafted authentication headers

Network Indicators:

HTTP requests to REST API endpoints with unusual authentication parameters
Traffic patterns showing authentication bypass attempts

SIEM Query:

source="flask-appbuilder" AND (event_type="authentication" OR endpoint="/api/*") AND (status="success" AND previous_status="failed")

📊 Metadata

CVE ID: CVE-2021-41265

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-287

Published: December 9, 2021

Last Updated: March 7, 2025

🔗 References

https://github.com/dpgaspar/Flask-AppBuilder/commit/eba517aab121afa3f3f2edb011ec6bc4efd61fbc Patch,Third Party Advisory
https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v3.3.4 Release Notes,Third Party Advisory
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-m3rf-7m4w-r66q Third Party Advisory
https://github.com/dpgaspar/Flask-AppBuilder/commit/eba517aab121afa3f3f2edb011ec6bc4efd61fbc Patch,Third Party Advisory
https://github.com/dpgaspar/Flask-AppBuilder/releases/tag/v3.3.4 Release Notes,Third Party Advisory
https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-m3rf-7m4w-r66q Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41265, you might also want to check these: