PyPI: flask
CVE-2026-27205
Safety vulnerability ID: SFTY-20260219-75691
Safety legacy ID: pyup.io-86909
Affected versions of the Flask package are vulnerable to Information Disclosure due to missing cache-variation headers when the session object is accessed via certain code paths. In Flask’s session handling, accessing flask.session is intended to set a Vary: Cookie response header, but session key-only access patterns (such as using the Python in operator to test for a key without reading or mutating session values) can bypass the logic that adds the header.
Overview
Flask session does not add `Vary: Cookie` header when accessed in some ways
Advisory
Affected versions of the Flask package are vulnerable to Information Disclosure due to missing cache-variation headers when the session object is accessed via certain code paths. In Flask’s session handling, accessing flask.session is intended to set a Vary: Cookie response header, but session key-only access patterns (such as using the Python in operator to test for a key without reading or mutating session values) can bypass the logic that adds the header.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260219-75691/CVE-2026-27205
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27205
- https://github.com/advisories/GHSA-68rp-wp8r-4726
- https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
- https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
- https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
- https://github.com/pallets/flask/releases/tag/3.1.3
- https://nvd.nist.gov/vuln/detail/CVE-2026-27205
- https://github.com/advisories/GHSA-68rp-wp8r-4726
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more