CVE-2026-27205
Publication date 21 February 2026
Last updated 18 March 2026
Ubuntu priority
Description
Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The severity and risk depend on the application being hosted behind a caching proxy that doesn't ignore responses with cookies, not setting a Cache-Control header to mark pages as private or non-cacheable, and accessing the session in a way that only touches keys without reading values or mutating the session. The issue has been fixed in version 3.1.3.
Read the notes from the security team
Why is this CVE low priority?
Per flask developers, this is a low severity issue
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| flask | 25.10 questing |
Vulnerable
|
| 24.04 LTS noble |
Fixed 3.0.2-1ubuntu1.1
|
|
| 22.04 LTS jammy |
Fixed 2.0.1-2ubuntu1.2
|
|
| 20.04 LTS focal |
Fixed 1.1.1-2ubuntu0.1+esm1
|
|
| 18.04 LTS bionic | Ignored code not present | |
| 16.04 LTS xenial | Ignored code not present |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
shishirsub10
version in bionic and xenial do not have functionality to to set the vary cookie header as it was only introduced in upstream in version 1.0
References
Related Ubuntu Security Notices (USN)
- USN-8104-1
- Flask vulnerability
- 18 March 2026