Flask Session Cache Bypass: CVE-2026-27205 Exposes Web Apps Behind Misconfigured Proxies

A session handling flaw in Flask versions through 2.3.3 introduces the risk of cache-related data leakage for web applications deployed behind certain caching proxies. The vulnerability, tracked as CVE-2026-27205, stems from incomplete enforcement of the `Vary: Cookie` HTTP header when the session object is accessed using the Python `in` operator—cases where only keys are checked rather than values retrieved or mutated.

Under normal circumstances, Flask sets the `Vary: Cookie` header to signal to downstream caches that responses may contain user-specific information and should not be served from cache. This protection works for most session interactions. However, researchers identified that key-only access patterns—such as checking membership with `session_key in session`—bypassed this safeguard. The oversight means caching proxies that do not ignore cookie-bearing responses could inadvertently serve cached pages containing another user's session context.

Exploitation of this vulnerability requires a specific alignment of conditions: the application must sit behind a caching proxy that honors cookies, the application must fail to set explicit `Cache-Control` directives marking content as private, and the session must be accessed exclusively through key-only operations. The Flask project has addressed the issue in version 3.1.3, and organizations running Flask behind caching infrastructure are advised to verify their proxy configurations and header settings as a defensive layer.

The discovery highlights a narrow but meaningful gap in Flask's cache-control logic, where subtle language semantics—the difference between value access and key checking—created a potential exposure vector. Applications that rely on framework-level session protection alone, without additional cache directives, face elevated scrutiny under this vulnerability pattern.