Flask Framework Security Patch: CVE-2026-27205 Fixes Cache Poisoning Risk in Session Handling

A critical security vulnerability in the widely-used Flask web framework exposes applications to potential cache poisoning attacks. The flaw, tracked as CVE-2026-27205, stems from the framework's failure to properly set the `Vary: Cookie` HTTP header in all scenarios when a user's session object is accessed. This omission can instruct intermediary caches to incorrectly store and serve user-specific, potentially sensitive, responses to other users, compromising data isolation.

The vulnerability specifically resides in how Flask handles certain forms of session object access. While standard access methods correctly set the protective header, the oversight occurs with less common operations, such as using the Python `in` operator to check for a key's presence within the session. This creates a gap where a cached response containing one user's private data could be delivered to another, unauthorized user. The severity of this exposure is application-dependent, hinging on what sensitive information is stored in the session and how the application is deployed and cached.

The Pallets team has released Flask version 3.1.3 to patch this issue, upgrading from 3.1.2. The update is now being propagated via dependency management tools like RenovateBot. Developers and security teams maintaining Python web applications must prioritize applying this patch. Failure to update leaves applications vulnerable to a class of attack that undermines fundamental session security, potentially leading to unauthorized data access and violations of user privacy.