CVE-2026-27205

LOW EPSS 29.2%
Published Feb 21, 20264mo ago · Modified Feb 24, 20264mo ago
2.3 CVSS 4.0
Low
Find Similar
Published Feb 21, 2026 4mo ago
Last Modified Feb 24, 2026 4mo ago

Description

Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.

CVSS Details

Base Score
2.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
29.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-524

Affected Products 1

VendorProductVersionRange
palletsprojectsflask* <3.1.3

References 3

  • github.com https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
    Patch
  • github.com https://github.com/pallets/flask/releases/tag/3.1.3
    ProductRelease Notes
  • github.com https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
    Vendor Advisory

Remediation

  • github.com https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
    Patch