Use of Cache Containing Sensitive Information Affecting flask package, versions [,3.1.3)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-FLASK-15322678
- published20 Feb 2026
- disclosed19 Feb 2026
- creditShourya Jaiswal
Introduced: 19 Feb 2026
CVE-2026-27205 (opens in a new tab)How to fix?
Upgrade flask to version 3.1.3 or higher.
Overview
Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the session object. An attacker can cause sensitive user-specific responses to be cached and served to other users by leveraging a caching proxy that does not ignore responses with cookies, when the application does not set a Cache-Control header and accesses the session only for keys without mutating or accessing values.
Note:
This is only exploitable if the application is hosted behind a caching proxy that does not ignore responses with cookies, does not set a Cache-Control header to indicate that a page is private or should not be cached, and accesses the session in a way that does not access the values, only the keys, and does not mutate the session.