CVE-2026-27205
Cache Poisoning vulnerability in flask (PyPI)
What is CVE-2026-27205 About?
This vulnerability in Flask can lead to cache poisoning, where cached responses intended for one user are served to others. It occurs because Flask fails to set the `Vary: Cookie` header when the session object is accessed in certain ways (e.g., `in` operator), allowing proxies to cache session-dependent content globally. Exploitation is moderate, depending on specific application logic and cache configurations.
Affected Software
Technical Details
When a Flask application interacts with the session object, it should typically instruct caching proxies not to cache the response by setting the Vary: Cookie header, as the response content might be session-dependent. However, this vulnerability describes a scenario where certain forms of session access, specifically checking for a key's presence using the Python in operator on the session object (e.g., 'key' in session), were overlooked. This omission means that if an application only accesses the session via such methods without mutating it or explicitly accessing its values, the Vary: Cookie header will not be set, allowing an upstream caching proxy to store and serve potentially personalized content to unintended users, leading to cache poisoning.
What is the Impact of CVE-2026-27205?
Successful exploitation may allow attackers to cause a caching proxy to serve sensitive or personalized content to unintended users, leading to information disclosure or session impersonation.
What is the Exploitability of CVE-2026-27205?
Exploitation of this vulnerability is complex and depends on several specific conditions. The application must be behind a caching proxy that does not ignore responses with cookies and does not set a Cache-Control header to prevent caching. Furthermore, the application must access the session in a way that triggers the vulnerability (e.g., using the in operator) without explicitly modifying or accessing session values. There are no authentication or privilege requirements, as this targets how content is cached. This is a remote vulnerability. The risk is significantly increased when applications handle sensitive data via sessions and rely on default caching behavior without explicit Cache-Control directives.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-27205?
Available Upgrade Options
- flask
- <3.1.3 → Upgrade to 3.1.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pallets/flask/releases/tag/3.1.3
- https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
- https://osv.dev/vulnerability/GHSA-68rp-wp8r-4726
- https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
- https://github.com/pallets/flask/releases/tag/3.1.3
- https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
- https://github.com/pallets/flask
- https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
What are Similar Vulnerabilities to CVE-2026-27205?
Similar Vulnerabilities: CVE-2023-34053 , CVE-2022-31189 , CVE-2021-32640 , CVE-2020-28198 , CVE-2019-10758
