CVE-2026-27205

Name of the Vulnerable Software and Affected Versions Flask versions 3.1.2 and below

Description Flask, a web server gateway interface (WSGI) web application framework, may improperly handle caching when accessing the session object. Specifically, it may fail to set the 'Vary: Cookie' header, potentially leading to a Use of Cache Containing Sensitive Information issue. This occurs when the application is hosted behind a caching proxy that doesn't ignore responses with cookies, lacks a 'Cache-Control' header to mark pages as private or non-cacheable, and accesses the session in a way that only touches keys without reading values or mutating the session. The issue stems from overlooking certain forms of access, such as the Python 'in' operator.

Recommendations Update to Flask version 3.1.3 or later.