UNKNOWN PyPI
Flask session does not add `Vary: Cookie` header when accessed in some ways
GHSA-68rp-wp8r-4726 · CVE-2026-27205
Published · Modified
Description
When the session object is accessed, Flask should set the Vary: Cookie header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked.
The severity depends on the application's use of the session, and the cache's behavior regarding cookies. The risk depends on all these conditions being met.
- The application must be hosted behind a caching proxy that does not ignore responses with cookies.
- The application does not set a
Cache-Controlheader to indicate that a page is private or should not be cached. - The application accesses the session in a way that does not access the values, only the keys, and does not mutate the session.
References
- WEB https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-27205
- WEB https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
- PACKAGE https://github.com/pallets/flask
- WEB https://github.com/pallets/flask/releases/tag/3.1.3
Ready to move
Start Securing
Free, no credit card | First findings in minutes