CVE-2026-27205
Received Received - Intake
Use of Cache Containing Sensitive Data in Flask Sessions

Publication date: 2026-02-21

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-02-24
Generated
2026-05-07
AI Q&A
2026-02-21
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27205
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
palletsprojects flask to 3.1.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-524 The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-27205 is a vulnerability in Flask versions 3.1.2 and below where the framework fails to set the HTTP header 'Vary: Cookie' when the session object is accessed in certain ways, such as using the Python 'in' operator to check for keys without reading or modifying session values."}, {'type': 'paragraph', 'content': "The 'Vary: Cookie' header is important because it tells caching proxies not to cache responses that may contain user-specific session data. Without this header, sensitive session information could be cached and potentially exposed to unauthorized users."}, {'type': 'paragraph', 'content': 'This vulnerability occurs when the application is behind a caching proxy that respects cookies and does not set cache-control headers to prevent caching, combined with accessing the session in a way that only touches keys without reading or mutating values.'}, {'type': 'paragraph', 'content': "The issue was fixed in Flask version 3.1.3 by ensuring the 'Vary: Cookie' header is correctly set whenever the session is accessed."}] [1, 3]


How can this vulnerability impact me? :

This vulnerability can lead to caching of personalized content containing sensitive session information by caching proxies that do not ignore cookie-containing responses and when cache-control headers are not properly set.

As a result, sensitive information specific to logged-in users may be exposed to unauthorized users who access cached responses.

The impact is considered low severity with a CVSS v4 base score of 2.3, involving a low confidentiality loss and no impact on integrity or availability.

The vulnerability is exploitable remotely without privileges or user interaction, but the actual risk depends on the deployment environment, specifically the presence and configuration of caching proxies and how the session is accessed.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Flask application version is 3.1.2 or below and if it is deployed behind a caching proxy that does not ignore responses with cookies and does not set Cache-Control headers to prevent caching.'}, {'type': 'paragraph', 'content': 'To detect if the vulnerability is exploitable, you can monitor HTTP responses from your Flask application to see if the `Vary: Cookie` header is missing when the session object is accessed, especially when session keys are checked using operations like the Python `in` operator.'}, {'type': 'paragraph', 'content': 'Suggested commands to help detect this issue include using curl or similar tools to inspect HTTP response headers for the presence or absence of the `Vary: Cookie` header.'}, {'type': 'list_item', 'content': "curl -I http://your-flask-app/endpoint -H 'Cookie: session=your_session_cookie'"}, {'type': 'list_item', 'content': 'Check if the response headers include `Vary: Cookie`. If missing when session is accessed, the vulnerability may be present.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing your Flask version can be done with a Python command:'}, {'type': 'list_item', 'content': 'python -c "import flask; print(flask.__version__)"'}] [1]


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade Flask to version 3.1.3 or later, where the vulnerability has been fixed by ensuring the `Vary: Cookie` header is correctly set whenever the session is accessed.

If upgrading immediately is not possible, you should ensure that your caching proxies are configured to ignore responses with cookies or that your application sets appropriate Cache-Control headers to prevent caching of sensitive session data.

Review your application code to avoid accessing the session object in ways that only check keys without reading or mutating session values, as these were the cases overlooked by the vulnerable versions.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart