Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-rx8q-6dwq-a3hs
Vulnerability ID VCID-rx8q-6dwq-a3hs
Aliases CVE-2026-27205
GHSA-68rp-wp8r-4726
Summary Flask session does not add `Vary: Cookie` header when accessed in some ways When the `session` object is accessed, Flask should set the `Vary: Cookie` header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python `in` operator were overlooked. The severity depends on the application's use of the session, and the cache's behavior regarding cookies. The risk depends on all these conditions being met. 1. The application must be hosted behind a caching proxy that does not ignore responses with cookies. 2. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. 3. The application accesses the session in a way that does not access the values, only the keys, and does not mutate the session.
Status Published
Exploitability 0.5
Weighted Severity 3.9
Risk 1.9
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-524 Use of Cache Containing Sensitive Information
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 4.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27205.json
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-27205
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-27205
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-27205
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-27205
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-27205
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-27205
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-27205
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-27205
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-27205
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-27205
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-27205
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-27205
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-27205
cvssv3.1 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr LOW https://github.com/advisories/GHSA-68rp-wp8r-4726
cvssv4 2.3 https://github.com/pallets/flask
generic_textual LOW https://github.com/pallets/flask
cvssv4 2.3 https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
generic_textual LOW https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
ssvc Track https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
cvssv4 2.3 https://github.com/pallets/flask/releases/tag/3.1.3
generic_textual LOW https://github.com/pallets/flask/releases/tag/3.1.3
ssvc Track https://github.com/pallets/flask/releases/tag/3.1.3
cvssv3.1_qr LOW https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
cvssv4 2.3 https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
generic_textual LOW https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
ssvc Track https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
cvssv4 2.3 https://nvd.nist.gov/vuln/detail/CVE-2026-27205
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2026-27205
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27205.json
https://api.first.org/data/v1/epss?cve=CVE-2026-27205
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27205
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/pallets/flask
https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
https://github.com/pallets/flask/releases/tag/3.1.3
https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
https://nvd.nist.gov/vuln/detail/CVE-2026-27205
1128620 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128620
2441596 https://bugzilla.redhat.com/show_bug.cgi?id=2441596
GHSA-68rp-wp8r-4726 https://github.com/advisories/GHSA-68rp-wp8r-4726
USN-8104-1 https://usn.ubuntu.com/8104-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27205.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/pallets/flask
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:02:52Z/ Found at https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/pallets/flask/releases/tag/3.1.3
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:02:52Z/ Found at https://github.com/pallets/flask/releases/tag/3.1.3
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-24T19:02:52Z/ Found at https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-27205
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.01344
EPSS Score 0.00011
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:52:42.837252+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-68rp-wp8r-4726/GHSA-68rp-wp8r-4726.json 38.0.0