Skip to content

security: upgrade Python dependencies to Flask 2.3.3 and Werkzeug 3.1.6#7719

Open
wtfiwtz wants to merge 2 commits into
getredash:masterfrom
orchestrated-io:fix/python-security-deps-werkzeug3
Open

security: upgrade Python dependencies to Flask 2.3.3 and Werkzeug 3.1.6#7719
wtfiwtz wants to merge 2 commits into
getredash:masterfrom
orchestrated-io:fix/python-security-deps-werkzeug3

Conversation

@wtfiwtz

@wtfiwtz wtfiwtz commented Jun 1, 2026
edited
Loading

Copy link
Copy Markdown

Upgrade security-critical Python dependencies while staying on Flask 2.x. Werkzeug 3.x is compatible with Flask 2.3.x and provides important security fixes without requiring a Flask 3 migration.

Core dependency upgrades:

  • authlib: 0.15.5 → 1.7.2 (fixes CVEs in OAuth/OIDC flows)
  • cryptography: 43.0.1 → 48.0.0
  • flask: 2.3.2 → 2.3.3
  • flask-login: 0.6.0 → 0.6.3
  • flask-wtf: 1.1.1 → 1.3.0
  • itsdangerous: 2.1.2 → 2.2.0
  • jinja2: 3.1.5 → 3.1.6
  • pyjwt: 2.4.0 → 2.12.0
  • pyopenssl: 24.2.1 → 26.2.0
  • python-dotenv: 0.19.2 → 1.2.2
  • requests: 2.32.3 → 2.33.0
  • sqlparse: 0.5.0 → 0.5.4
  • urllib3: 1.26.19 → 1.26.20
  • werkzeug: 2.3.8 → 3.1.6

Added transitive dependency pins: pyasn1, mako, pynacl

Data source dependency upgrades:

  • boto3/botocore: 1.28.8 → 1.43.7
  • snowflake-connector-python: 3.12.3 → 4.5.0
  • New additions: azure-core, grpcio, h11, httpcore, marshmallow

Dev dependency upgrades:

  • pre-commit: 3.3.3 → 4.3.0
  • Add filelock, pygments, virtualenv

Code changes for authlib 1.x and Werkzeug 3.x compatibility:

  • Remove api_key_load_user_from_request from user_loader (belongs in request_loader)
  • Add TESTING-mode reset_request_g_cache hook to prevent g leakage across test requests
  • Pass explicit client_id/client_secret to oauth.register() (authlib 1.x API)
  • Replace flask.globals._app_ctx_stack with current_app (Werkzeug 3 removal)

What type of PR is this?

  • Refactor
  • Feature
  • Bug Fix
  • New Query Runner (Data Source)
  • New Alert Destination
  • Other

Description

How is this tested?

  • Unit tests (pytest, jest)
  • E2E Tests (Cypress)
  • Manually
  • N/A

Related Tickets & Documents

Mobile & Desktop Screenshots/Recordings (if there are UI changes)

@wtfiwtz @cursoragent
security: upgrade Python dependencies to Flask 2.3.3 and Werkzeug 3.1.6
a6d2764 
Upgrade security-critical Python dependencies while staying on Flask 2.x.
Werkzeug 3.x is compatible with Flask 2.3.x and provides important security
fixes without requiring a Flask 3 migration.

Core dependency upgrades:
- authlib: 0.15.5 → 1.7.2 (fixes CVEs in OAuth/OIDC flows)
- cryptography: 43.0.1 → 48.0.0
- flask: 2.3.2 → 2.3.3
- flask-login: 0.6.0 → 0.6.3
- flask-wtf: 1.1.1 → 1.3.0
- itsdangerous: 2.1.2 → 2.2.0
- jinja2: 3.1.5 → 3.1.6
- pyjwt: 2.4.0 → 2.12.0
- pyopenssl: 24.2.1 → 26.2.0
- python-dotenv: 0.19.2 → 1.2.2
- requests: 2.32.3 → 2.33.0
- sqlparse: 0.5.0 → 0.5.4
- urllib3: 1.26.19 → 1.26.20
- werkzeug: 2.3.8 → 3.1.6

Added transitive dependency pins: pyasn1, mako, pynacl

Data source dependency upgrades:
- boto3/botocore: 1.28.8 → 1.43.7
- snowflake-connector-python: 3.12.3 → 4.5.0
- New additions: azure-core, grpcio, h11, httpcore, marshmallow

Dev dependency upgrades:
- pre-commit: 3.3.3 → 4.3.0
- Add filelock, pygments, virtualenv

Code changes for authlib 1.x and Werkzeug 3.x compatibility:
- Remove api_key_load_user_from_request from user_loader (belongs in request_loader)
- Add TESTING-mode reset_request_g_cache hook to prevent g leakage across test requests
- Pass explicit client_id/client_secret to oauth.register() (authlib 1.x API)
- Replace flask.globals._app_ctx_stack with current_app (Werkzeug 3 removal)

Co-authored-by: Cursor <cursoragent@cursor.com>
This was referenced Jun 1, 2026
Closed
Closed
Closed
Open
@wtfiwtz wtfiwtz marked this pull request as ready for review June 1, 2026 06:42
@wtfiwtz

wtfiwtz commented Jun 1, 2026

Copy link
Copy Markdown
Author

Disclaimer: This comment was AI-generated to summarize the CVE and advisory coverage for this PR. Please verify against your scanner output and release notes before treating it as authoritative.

CVE / advisory coverage for PR #7719 (fix/python-security-deps-werkzeug3)

This PR upgrades security-critical Python dependencies while staying on Flask 2.x, with Werkzeug 3.x for security fixes without a Flask 3 migration.

Core dependency upgrades (named CVEs / advisories)

Package Version change CVEs / advisories addressed
werkzeug 2.3.8 → 3.1.6 CVE-2026-27199 (GHSA-29vq-49wr-vm6x); also picks up earlier Werkzeug 3.x fixes (e.g. CVE-2024-34069, CVE-2024-49766, CVE-2024-49767)
jinja2 3.1.5 → 3.1.6 CVE-2025-27516 (sandbox escape)
authlib 0.15.5 → 1.7.2 OAuth/OIDC advisory fixes (commit notes “CVEs in OAuth/OIDC flows”; includes issues such as CVE-2024-37568 class JWT/JWS handling)
cryptography 43.0.1 → 48.0.0 Multiple OpenSSL-binding CVEs in intervening releases
pyjwt 2.4.0 → 2.12.0 CVE-2022-29217 and related algorithm-confusion fixes
urllib3 1.26.19 → 1.26.20 CVE-2025-50181, CVE-2025-50182 (redirect/SSRF-class fixes in 1.26.x)
flask 2.3.2 → 2.3.3 Flask security patch release
requests 2.32.3 → 2.33.0 Tracks urllib3 / cert handling fixes
sqlparse 0.5.0 → 0.5.4 SQL parsing DoS fixes in 0.5.x
itsdangerous 2.1.2 → 2.2.0 Serializer security improvements
pyopenssl 24.2.1 → 26.2.0 OpenSSL compatibility / advisory fixes
flask-login 0.6.0 → 0.6.3 Maintenance / security patch level
flask-wtf 1.1.1 → 1.3.0 Maintenance / security patch level
python-dotenv 0.19.2 → 1.2.2 Dependency refresh

Transitive pins added

Package Version Notes
pyasn1 0.6.3 Addresses known advisories on dependency chain
pynacl 1.6.2 Addresses known advisories on dependency chain
mako 1.3.12 Addresses known advisories on dependency chain

Data-source optional group upgrades (scanner-driven)

Package Version change Notes
boto3 / botocore 1.28.8 → 1.43.7 AWS SDK security fixes
snowflake-connector-python 3.12.3 → 4.5.0 Connector security fixes
azure-core, grpcio, h11, httpcore, marshmallow New minimum pins Transitive vulnerability fixes in data-source stacks

Compatibility code changes (not CVE fixes, but required for upgrades)

  • Remove api_key_load_user_from_request from user_loader (belongs in request_loader)
  • TESTING-mode reset_request_g_cache hook to prevent g leakage across test requests
  • Explicit client_id / client_secret in oauth.register() (authlib 1.x API)
  • Replace flask.globals._app_ctx_stack with current_app (Werkzeug 3 removal)

Out of scope for this PR (other split PRs)

Area PR
Frontend / npm CVEs #7720
urllib3 2.x + champion SSRF #7721
Flask 3 / SQLAlchemy 1.4 migration #7722
Debian OS / Docker build-time CVEs #7718

Known remaining issues (not fixed on this branch)

Package CVE / advisory Notes
jwcrypto 1.5.6 CVE-2026-39373 Fix requires 1.5.7 — not included in any split branch yet
bootstrap@3.4.1 (frontend) CVE-2019-8331, CVE-2025-1647 Frontend PR scope; CSS-only use
paramiko 3.4.1 CVE-2026-44405 Requires Paramiko 5.0.0 (breaking); blocked by unmaintained sshtunnel
pysaml2 7.3.1 GMS-2016-67 7.5.x incompatible with pyOpenSSL 26.x constraint

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 1, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 8 files

Re-trigger cubic

This was referenced Jun 1, 2026
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wtfiwtz