CVE Tools
Sign in

CVE-2026-27205

Flask session does not add `Vary: Cookie` header when accessed in some ways

Published: Feb 21, 2026Updated: Feb 24, 2026 Sources: CVE List NVD GHSACWE-524
NVD MITRE
4.3CVSSMEDIUM
EPSS Score
0.4%
Top 71.0%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:RS:UC:LI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:RUser Interaction
Required
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-524

Affected Products

flaskpallets
Library
OSS Libraries / pypi
flaskPyPIOSS Libraries
flaskpalletsprojects
Library
OSS Libraries / pypi
palletsoss-projectUSOSS Libraries
pypipackage-ecosystemOSS Libraries
palletsprojectsoss-projectUSOSS Libraries

Exploitability

Official Patch Available

References

https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
github.com
https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
github.com
https://github.com/pallets/flask/releases/tag/3.1.3
github.com
and 2 more references View all →

Timeline

Published
Feb 21, 2026
Last Updated
Feb 24, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-27205 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows