CVE-2026-27205

Name	CVE-2026-27205
Description	Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1128620

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
flask (PTS)	bullseye (security), bullseye	1.1.2-2+deb11u1	vulnerable
	bookworm	2.2.2-3	vulnerable
	trixie	3.1.1-1	vulnerable
	forky	3.1.2-1	vulnerable
	sid	3.1.3-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
flask	source	(unstable)	3.1.3-1			1128620

Notes

[trixie] - flask <no-dsa> (Minor issue)
[bookworm] - flask <no-dsa> (Minor issue)
[bullseye] - flask <postponed> (Minor issue, hard to trigger)
https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
Fixed by: https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4 (3.1.3)