Description
Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.
Published: 2026-02-21
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Use of Cache Containing Sensitive Information
Action: Immediate Patch
AI Analysis

Impact

Flask 3.1.2 and earlier miss the Vary: Cookie header when the session object is accessed, which can lead to the response being cached by intermediate proxies when the request includes a cookie. This allows a caching system to store a page that may contain user‑specific data and later serve it to other users, thus exposing sensitive information.

Affected Systems

All installations of Flask 3.1.2 or earlier, including standard deployments of the pallets:flask framework.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and the EPSS score of less than 1% reflects a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the application to sit behind a caching proxy that does not respect the Vary header and for the attacker to benefit from responses that contain a cookie. Under typical public–facing deployments this risk is mitigated unless a caching layer injects or stores cookies for authenticated sessions, in which case the threat becomes more realistic.

Generated by OpenCVE AI on April 17, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Flask 3.1.3 or later to incorporate the header fix.
  • Configure any reverse or CDN proxy to respect the Vary: Cookie header and to avoid caching responses that contain cookies.
  • If upgrading is not immediately possible, ensure the application sets Cache‑Control: private or no‑store headers on all pages that could access session data, or modify the code to manually add the Vary header when session keys are touched without mutating the session.

Generated by OpenCVE AI on April 17, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-68rp-wp8r-4726 Flask session does not add `Vary: Cookie` header when accessed in some ways
Ubuntu USN Ubuntu USN USN-8104-1 Flask vulnerability
History

Wed, 25 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Palletsprojects
Palletsprojects flask
CPEs cpe:2.3:a:palletsprojects:flask:*:*:*:*:*:*:*:*
Vendors & Products Palletsprojects
Palletsprojects flask

Tue, 24 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

threat_severity

Moderate

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Pallets
Pallets flask
Vendors & Products Pallets
Pallets flask

Sat, 21 Feb 2026 05:45:00 +0000

Type Values Removed Values Added
Description Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.
Title Flask session does not add `Vary: Cookie` header when accessed in some ways
Weaknesses CWE-524
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Pallets Flask
Palletsprojects Flask
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T19:03:11.374Z

Reserved: 2026-02-18T19:47:02.155Z

Link: CVE-2026-27205

cve-icon Vulnrichment

Updated: 2026-02-24T19:03:04.896Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T06:17:00.910

Modified: 2026-02-24T21:59:52.183

Link: CVE-2026-27205

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-21T05:21:17Z

Links: CVE-2026-27205 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses