CVE-2026-27205

Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4	Patch
https://github.com/pallets/flask/releases/tag/3.1.3	Product Release Notes
https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:palletsprojects:flask:*:*:*:*:*:*:*:*

History

24 Feb 2026, 21:59

Type	Values Removed	Values Added
Summary		(es) Flask es un framework de aplicación web de interfaz de puerta de enlace de servidor web (WSGI). En las versiones 3.1.2 e inferiores, cuando se accede al objeto de sesión, Flask debería establecer el encabezado Vary: Cookie, lo que resulta en una vulnerabilidad de Uso de Caché que Contiene Información Sensible. La lógica instruye a las cachés a no almacenar en caché la respuesta, ya que puede contener información específica de un usuario autenticado. Esto se maneja en la mayoría de los casos, pero algunas formas de acceso, como el operador in de Python, fueron pasadas por alto. La severidad y el riesgo dependen de que la aplicación esté alojada detrás de un proxy de caché que no ignore las respuestas con cookies, de no establecer un encabezado Cache-Control para marcar las páginas como privadas o no almacenables en caché, y de acceder a la sesión de una manera que solo toque las claves sin leer los valores o mutar la sesión. El problema ha sido solucionado en la versión 3.1.3.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
CPE		cpe:2.3:a:palletsprojects:flask::::::::
First Time		Palletsprojects Palletsprojects flask
References	~~() https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4 -~~	() https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4 - Patch
References	~~() https://github.com/pallets/flask/releases/tag/3.1.3 -~~	() https://github.com/pallets/flask/releases/tag/3.1.3 - Product, Release Notes
References	~~() https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726 -~~	() https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726 - Vendor Advisory

21 Feb 2026, 06:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-21 06:17

Updated : 2026-02-24 21:59

NVD link : CVE-2026-27205

Mitre link : CVE-2026-27205

CVE.ORG link : CVE-2026-27205

JSON object : View

Products Affected

palletsprojects

flask

CWE

CWE-524

Use of Cache Containing Sensitive Information

4.3 /10