Source: flask Version: 3.1.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for flask. CVE-2026-27205[0]: | Flask is a web server gateway interface (WSGI) web application | framework. In versions 3.1.2 and below, when the session object is | accessed, Flask should set the Vary: Cookie header., resulting in a | Use of Cache Containing Sensitive Information vulnerability. The | logic instructs caches not to cache the response, as it may contain | information specific to a logged in user. This is handled in most | cases, but some forms of access such as the Python in operator were | overlooked. The severity and risk depend on the application being | hosted behind a caching proxy that doesn't ignore responses with | cookies, not setting a Cache-Control header to mark pages as private | or non-cacheable, and accessing the session in a way that only | touches keys without reading values or mutating the session. The | issue has been fixed in version 3.1.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-27205 https://www.cve.org/CVERecord?id=CVE-2026-27205 [1] https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726 [2] https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
