CVE-2026-27205: Flask session does not add `Vary: Cookie` header when accessed in some ways

Published Feb 19, 2026
·
Updated

Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.

Affected Software

2 affected componentsFixes available
pip/flask<3.1.3
3.1.3
palletsprojects Flask<3.1.3

Remediation

Patch Available

https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4

Event History

Feb 19, 2026
Advisory Published
via GitHub·08:45 PM
Data Sourced
via GitHub·08:45 PM
DescriptionWeaknessAffected Software
Feb 21, 2026
CVE Published
via MITRE·05:21 AM
Data Sourced
via MITRE·05:21 AM
DescriptionWeakness
Data Sourced
via NVD·06:17 AM
RemedyDescriptionSeverityWeaknessAffected Software
Oct 18, 58128
Event
via FIRST·11:48 AM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-27205?

The CVE-2026-27205 vulnerability has been recognized as having a moderate severity due to its potential impact on user session security.

2

How do I fix CVE-2026-27205?

To mitigate CVE-2026-27205, update Flask to version 3.1.3 or later where the issue has been addressed.

3

What does the CVE-2026-27205 vulnerability affect?

CVE-2026-27205 affects Flask applications where the session object is accessed without the proper `Vary: Cookie` header being set.

4

Who is affected by CVE-2026-27205?

Developers using Flask versions prior to 3.1.3 who rely on session-based user authentication may be affected by CVE-2026-27205.

5

What is the impact of CVE-2026-27205?

The impact of CVE-2026-27205 includes the risk of user-specific information being cached publicly, which could lead to session hijacking.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203