Use of Cache Containing Sensitive Information in Flask by Pallets
CVE-2026-27205

2.3LOW

Key Information:

Vendor

Pallets

Status
Flask
Vendor
CVE Published:
21 February 2026

What is CVE-2026-27205?

Flask, a popular web server gateway interface (WSGI) framework, has a vulnerability that arises when session objects are accessed. In versions 3.1.2 and below, the framework fails to consistently apply the Vary: Cookie header, which can lead to sensitive information being cached improperly. This flaw may permit caching proxies to store responses that contain user-specific information, especially if the Cache-Control header is not accurately configured to ensure pages are treated as private or non-cacheable. The oversight primarily affects scenarios where access to session data only involves non-mutating operations. Users are advised to upgrade to Flask version 3.1.3, where this vulnerability is mitigated.

Affected Version(s)

flask < 3.1.3

References

https://github.com/pallets/flask/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/pallets/flask/commit/089cb86dd22bff589...
x_refsource_MISC
https://github.com/pallets/flask/releases/tag/3.1.3
x_refsource_MISC

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.