The vulnerability lies in how Flask-AppBuilder handles redirects when a list of safe redirect hosts is not explicitly configured. The commit provided (32eedbbb5cb483a3e782c5f2732de4a6a650d9b6) renames the configuration variable used to specify these safe hosts from SAFE_REDIRECT_HOSTS to FAB_SAFE_REDIRECT_HOSTS. The core logic for checking safe redirects resides in the is_safe_redirect_url function within flask_appbuilder/utils/base.py. This function retrieves the list of safe hosts using current_app.config.get("FAB_SAFE_REDIRECT_HOSTS", []). Crucially, if this list is empty (i.e., not configured), it falls back to safe_hosts = [urlparse(request.host_url).netloc]. The vulnerability arises because request.host_url can be influenced by the HTTP Host header. If an attacker manipulates this header, request.host_url will reflect the attacker-controlled domain. is_safe_redirect_url would then consider this malicious domain as a trusted host, thereby allowing an open redirect. The patch itself is a step in hardening by renaming and emphasizing the configuration, but the function is_safe_redirect_url is where the flawed check (in the absence of configuration) occurs, making it the central point of the vulnerability.