Flask, a popular Python WSGI web framework, versions 3.1.2 and below contain a vulnerability (CVE-2026-27205) related to improper cache control when handling session objects. Normally, when a session is accessed, Flask sets the 'Vary: Cookie' HTTP header to instruct caches not to store user-specific responses, preventing sensitive information leakage. However, certain access patterns, notably using the Python 'in' operator to check for session keys without reading or modifying session values, do not trigger this header setting. Consequently, responses containing sensitive session data may be cached by intermediaries such as reverse proxies or CDNs that do not ignore responses with cookies and when the application does not explicitly set Cache-Control headers to prevent caching. This can lead to the unintended exposure of sensitive session information to other users sharing the cache. The vulnerability is classified under CWE-524 (Use of Cache Containing Sensitive Information). The risk depends heavily on deployment architecture, specifically the presence and configuration of caching proxies and the application's cache-control policies. The issue was addressed in Flask version 3.1.3 by ensuring consistent header setting regardless of session access method. The CVSS 4.0 vector indicates network attack vector, low complexity, partial attack complexity, no privileges required, user interaction required, and low confidentiality impact, resulting in an overall low severity score of 2.3. No known exploits have been reported, suggesting limited active exploitation.

The primary impact of this vulnerability is the potential leakage of sensitive session information through caching proxies that improperly cache responses containing user-specific data. If exploited, an attacker could retrieve cached responses intended for other users, leading to confidentiality breaches such as session hijacking or exposure of personal data. However, the impact is mitigated by several factors: the vulnerability requires the application to be behind a caching proxy that does not respect cookie-based cache directives; the application must fail to set Cache-Control headers properly; and the session must be accessed in a specific manner that triggers the flaw. Therefore, the scope of affected systems is limited to certain deployment configurations. Organizations using Flask versions below 3.1.3 with caching proxies like CDNs or reverse proxies that cache responses without proper validation are at risk. The vulnerability does not affect integrity or availability directly. Given the low CVSS score and lack of known exploits, the immediate risk is low but should not be ignored, especially for applications handling sensitive user data.

To mitigate this vulnerability, organizations should upgrade Flask to version 3.1.3 or later, where the issue is fixed. Additionally, review and enforce proper cache-control policies on all responses containing user-specific data by explicitly setting Cache-Control headers such as 'private' or 'no-store' to prevent caching by intermediaries. Audit the deployment architecture to identify any caching proxies or CDNs that might cache responses improperly and configure them to respect cookie headers and cache-control directives. Developers should avoid accessing the session object in ways that bypass cache-control logic, such as using the 'in' operator without reading or mutating session values. Implement security testing to verify that sensitive responses are not cached unintentionally. Monitoring and logging cache behavior can help detect potential misuse. Finally, educate development and operations teams about the importance of cache control in web application security.