Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
8 vulnerabilities found for flask by palletsprojects
CVE-2026-27205 (GCVE-0-2026-27205)
Vulnerability from nvd – Published: 2026-02-21 05:21 – Updated: 2026-02-24 19:03
VLAI?
Title
Flask session does not add `Vary: Cookie` header when accessed in some ways
Summary
Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.
Severity ?
CWE
- CWE-524 - Use of Cache Containing Sensitive Information
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T19:02:52.515600Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T19:03:11.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "flask",
"vendor": "pallets",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn\u0027t ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-524",
"description": "CWE-524: Use of Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T05:21:17.214Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726"
},
{
"name": "https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4"
},
{
"name": "https://github.com/pallets/flask/releases/tag/3.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pallets/flask/releases/tag/3.1.3"
}
],
"source": {
"advisory": "GHSA-68rp-wp8r-4726",
"discovery": "UNKNOWN"
},
"title": "Flask session does not add `Vary: Cookie` header when accessed in some ways"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27205",
"datePublished": "2026-02-21T05:21:17.214Z",
"dateReserved": "2026-02-18T19:47:02.155Z",
"dateUpdated": "2026-02-24T19:03:11.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-30861 (GCVE-0-2023-30861)
Vulnerability from nvd – Published: 2023-05-02 17:04 – Updated: 2025-02-13 16:49
VLAI?
Title
Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header
Summary
Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.
1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
2. The application sets `session.permanent = True`
3. The application does not access or modify the session at any point during a request.
4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default).
5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.
This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.
Severity ?
7.5 (High)
CWE
- CWE-539 - Use of Persistent Cookies Containing Sensitive Information
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:37:15.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq"
},
{
"name": "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b"
},
{
"name": "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965"
},
{
"name": "https://github.com/pallets/flask/releases/tag/2.2.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pallets/flask/releases/tag/2.2.5"
},
{
"name": "https://github.com/pallets/flask/releases/tag/2.3.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pallets/flask/releases/tag/2.3.2"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5442"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230818-0006/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00024.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30861",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T16:29:21.702514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T16:29:41.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "flask",
"vendor": "pallets",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 2.3.2"
},
{
"status": "affected",
"version": "\u003c 2.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client\u0027s `session` cookie to other clients. The severity depends on the application\u0027s use of the session and the proxy\u0027s behavior regarding cookies. The risk depends on all these conditions being met.\n\n1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\n2. The application sets `session.permanent = True`\n3. The application does not access or modify the session at any point during a request.\n4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default).\n5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\n\nThis happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-539",
"description": "CWE-539: Use of Persistent Cookies Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-20T20:06:11.279Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq"
},
{
"name": "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b"
},
{
"name": "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965"
},
{
"name": "https://github.com/pallets/flask/releases/tag/2.2.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pallets/flask/releases/tag/2.2.5"
},
{
"name": "https://github.com/pallets/flask/releases/tag/2.3.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pallets/flask/releases/tag/2.3.2"
},
{
"url": "https://www.debian.org/security/2023/dsa-5442"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230818-0006/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00024.html"
}
],
"source": {
"advisory": "GHSA-m2qf-hxjv-5gpq",
"discovery": "UNKNOWN"
},
"title": "Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-30861",
"datePublished": "2023-05-02T17:04:22.197Z",
"dateReserved": "2023-04-18T16:13:15.882Z",
"dateUpdated": "2025-02-13T16:49:37.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1010083 (GCVE-0-2019-1010083)
Vulnerability from nvd – Published: 2019-07-17 13:59 – Updated: 2024-08-05 03:07
VLAI?
Summary
The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.
Severity ?
No CVSS data available.
CWE
- unexpected memory usage
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Pallets Project | Flask |
Affected:
≤ 1.0 [fixed: 1]
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:07:18.278Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.palletsprojects.com/blog/flask-1-0-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Flask",
"vendor": "The Pallets Project",
"versions": [
{
"status": "affected",
"version": "\u2264 1.0 [fixed: 1]"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "unexpected memory usage",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-25T15:43:52.000Z",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.palletsprojects.com/blog/flask-1-0-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2019-1010083",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Flask",
"version": {
"version_data": [
{
"version_value": "\u2264 1.0 [fixed: 1]"
}
]
}
}
]
},
"vendor_name": "The Pallets Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "unexpected memory usage"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.palletsprojects.com/blog/flask-1-0-released/",
"refsource": "CONFIRM",
"url": "https://www.palletsprojects.com/blog/flask-1-0-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2019-1010083",
"datePublished": "2019-07-17T13:59:09.000Z",
"dateReserved": "2019-03-20T00:00:00.000Z",
"dateUpdated": "2024-08-05T03:07:18.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000656 (GCVE-0-2018-1000656)
Vulnerability from nvd – Published: 2018-08-20 19:00 – Updated: 2024-08-05 12:40
VLAI?
Summary
The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Date Public ?
2018-04-10 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190221-0001/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pallets/flask/pull/2691"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pallets/flask/releases/tag/0.12.3"
},
{
"name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
},
{
"name": "USN-4378-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4378-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-08-19T00:00:00.000Z",
"datePublic": "2018-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-09T21:06:29.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190221-0001/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pallets/flask/pull/2691"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pallets/flask/releases/tag/0.12.3"
},
{
"name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
},
{
"name": "USN-4378-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4378-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-08-19T17:09:33.130462",
"DATE_REQUESTED": "2018-08-15T16:18:15",
"ID": "CVE-2018-1000656",
"REQUESTER": "secure@veritas.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.netapp.com/advisory/ntap-20190221-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190221-0001/"
},
{
"name": "https://github.com/pallets/flask/pull/2691",
"refsource": "CONFIRM",
"url": "https://github.com/pallets/flask/pull/2691"
},
{
"name": "https://github.com/pallets/flask/releases/tag/0.12.3",
"refsource": "CONFIRM",
"url": "https://github.com/pallets/flask/releases/tag/0.12.3"
},
{
"name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
},
{
"name": "USN-4378-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4378-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000656",
"datePublished": "2018-08-20T19:00:00.000Z",
"dateReserved": "2018-08-15T00:00:00.000Z",
"dateUpdated": "2024-08-05T12:40:47.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-27205 (GCVE-0-2026-27205)
Vulnerability from cvelistv5 – Published: 2026-02-21 05:21 – Updated: 2026-02-24 19:03
VLAI?
Title
Flask session does not add `Vary: Cookie` header when accessed in some ways
Summary
Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.
Severity ?
CWE
- CWE-524 - Use of Cache Containing Sensitive Information
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T19:02:52.515600Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T19:03:11.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "flask",
"vendor": "pallets",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn\u0027t ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-524",
"description": "CWE-524: Use of Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T05:21:17.214Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726"
},
{
"name": "https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4"
},
{
"name": "https://github.com/pallets/flask/releases/tag/3.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pallets/flask/releases/tag/3.1.3"
}
],
"source": {
"advisory": "GHSA-68rp-wp8r-4726",
"discovery": "UNKNOWN"
},
"title": "Flask session does not add `Vary: Cookie` header when accessed in some ways"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27205",
"datePublished": "2026-02-21T05:21:17.214Z",
"dateReserved": "2026-02-18T19:47:02.155Z",
"dateUpdated": "2026-02-24T19:03:11.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-30861 (GCVE-0-2023-30861)
Vulnerability from cvelistv5 – Published: 2023-05-02 17:04 – Updated: 2025-02-13 16:49
VLAI?
Title
Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header
Summary
Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met.
1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.
2. The application sets `session.permanent = True`
3. The application does not access or modify the session at any point during a request.
4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default).
5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.
This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.
Severity ?
7.5 (High)
CWE
- CWE-539 - Use of Persistent Cookies Containing Sensitive Information
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:37:15.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq"
},
{
"name": "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b"
},
{
"name": "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965"
},
{
"name": "https://github.com/pallets/flask/releases/tag/2.2.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pallets/flask/releases/tag/2.2.5"
},
{
"name": "https://github.com/pallets/flask/releases/tag/2.3.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pallets/flask/releases/tag/2.3.2"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5442"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230818-0006/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00024.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30861",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T16:29:21.702514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T16:29:41.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "flask",
"vendor": "pallets",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 2.3.2"
},
{
"status": "affected",
"version": "\u003c 2.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client\u0027s `session` cookie to other clients. The severity depends on the application\u0027s use of the session and the proxy\u0027s behavior regarding cookies. The risk depends on all these conditions being met.\n\n1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies.\n2. The application sets `session.permanent = True`\n3. The application does not access or modify the session at any point during a request.\n4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default).\n5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached.\n\nThis happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-539",
"description": "CWE-539: Use of Persistent Cookies Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-20T20:06:11.279Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pallets/flask/security/advisories/GHSA-m2qf-hxjv-5gpq"
},
{
"name": "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pallets/flask/commit/70f906c51ce49c485f1d355703e9cc3386b1cc2b"
},
{
"name": "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pallets/flask/commit/afd63b16170b7c047f5758eb910c416511e9c965"
},
{
"name": "https://github.com/pallets/flask/releases/tag/2.2.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pallets/flask/releases/tag/2.2.5"
},
{
"name": "https://github.com/pallets/flask/releases/tag/2.3.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pallets/flask/releases/tag/2.3.2"
},
{
"url": "https://www.debian.org/security/2023/dsa-5442"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230818-0006/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00024.html"
}
],
"source": {
"advisory": "GHSA-m2qf-hxjv-5gpq",
"discovery": "UNKNOWN"
},
"title": "Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-30861",
"datePublished": "2023-05-02T17:04:22.197Z",
"dateReserved": "2023-04-18T16:13:15.882Z",
"dateUpdated": "2025-02-13T16:49:37.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-1010083 (GCVE-0-2019-1010083)
Vulnerability from cvelistv5 – Published: 2019-07-17 13:59 – Updated: 2024-08-05 03:07
VLAI?
Summary
The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.
Severity ?
No CVSS data available.
CWE
- unexpected memory usage
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Pallets Project | Flask |
Affected:
≤ 1.0 [fixed: 1]
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:07:18.278Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.palletsprojects.com/blog/flask-1-0-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Flask",
"vendor": "The Pallets Project",
"versions": [
{
"status": "affected",
"version": "\u2264 1.0 [fixed: 1]"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "unexpected memory usage",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-25T15:43:52.000Z",
"orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"shortName": "dwf"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.palletsprojects.com/blog/flask-1-0-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2019-1010083",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Flask",
"version": {
"version_data": [
{
"version_value": "\u2264 1.0 [fixed: 1]"
}
]
}
}
]
},
"vendor_name": "The Pallets Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "unexpected memory usage"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.palletsprojects.com/blog/flask-1-0-released/",
"refsource": "CONFIRM",
"url": "https://www.palletsprojects.com/blog/flask-1-0-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8",
"assignerShortName": "dwf",
"cveId": "CVE-2019-1010083",
"datePublished": "2019-07-17T13:59:09.000Z",
"dateReserved": "2019-03-20T00:00:00.000Z",
"dateUpdated": "2024-08-05T03:07:18.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000656 (GCVE-0-2018-1000656)
Vulnerability from cvelistv5 – Published: 2018-08-20 19:00 – Updated: 2024-08-05 12:40
VLAI?
Summary
The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Date Public ?
2018-04-10 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190221-0001/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pallets/flask/pull/2691"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pallets/flask/releases/tag/0.12.3"
},
{
"name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
},
{
"name": "USN-4378-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4378-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-08-19T00:00:00.000Z",
"datePublic": "2018-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-09T21:06:29.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190221-0001/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pallets/flask/pull/2691"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pallets/flask/releases/tag/0.12.3"
},
{
"name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
},
{
"name": "USN-4378-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4378-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-08-19T17:09:33.130462",
"DATE_REQUESTED": "2018-08-15T16:18:15",
"ID": "CVE-2018-1000656",
"REQUESTER": "secure@veritas.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.netapp.com/advisory/ntap-20190221-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190221-0001/"
},
{
"name": "https://github.com/pallets/flask/pull/2691",
"refsource": "CONFIRM",
"url": "https://github.com/pallets/flask/pull/2691"
},
{
"name": "https://github.com/pallets/flask/releases/tag/0.12.3",
"refsource": "CONFIRM",
"url": "https://github.com/pallets/flask/releases/tag/0.12.3"
},
{
"name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
},
{
"name": "USN-4378-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4378-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000656",
"datePublished": "2018-08-20T19:00:00.000Z",
"dateReserved": "2018-08-15T00:00:00.000Z",
"dateUpdated": "2024-08-05T12:40:47.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}