Flask Security Flaw CVE-2026-27205: Session Cache Poisoning Risk in Abandoned Dependency Update

A critical security vulnerability in the widely-used Flask web framework exposes applications to potential session cache poisoning. The flaw, tracked as CVE-2026-27205, stems from the framework's failure to set the `Vary: Cookie` header when the session object is accessed via certain Python operators, such as the `in` operator. This oversight can instruct caches to serve a logged-in user's sensitive, personalized response to other users, effectively leaking private session data.

The vulnerability was identified in a GitHub pull request marked as 'abandoned,' which aimed to update the dependency from Flask v2.2.2 to the patched v3.0.0. The PR, generated by an automated dependency management bot, highlights a common but dangerous failure mode in software maintenance: critical security patches are left unmerged. The advisory from the Flask maintainers (Pallets) confirms the issue, noting that the severity is application-dependent, but the core risk of unauthorized information disclosure is inherent.

This incident underscores the systemic pressure on development teams to maintain dependency hygiene. An abandoned update for a foundational package like Flask leaves any dependent project exposed, regardless of its own security posture. It signals a potential point of institutional failure where automated security alerts are generated but not acted upon, creating a silent and widespread attack surface. The risk extends to any web application using Flask sessions without the updated version, placing user data and application integrity under immediate scrutiny.