GHSA-68rp-wp8r-4726

When the session object is accessed, Flask should set the Vary: Cookie header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked.

The severity depends on the application's use of the session, and the cache's behavior regarding cookies. The risk depends on all these conditions being met.

The application must be hosted behind a caching proxy that does not ignore responses with cookies.
The application does not set a Cache-Control header to indicate that a page is private or should not be cached.
The application accesses the session in a way that does not access the values, only the keys, and does not mutate the session.

Database specific

{
    "nvd_published_at": "2026-02-21T06:17:00Z",
    "github_reviewed_at": "2026-02-19T20:45:41Z",
    "github_reviewed": true,
    "severity": "LOW",
    "cwe_ids": [
        "CWE-524"
    ]
}

References

Affected packages

PyPI / flask

Package

Name: flask; View open source insights on deps.dev
Purl: pkg:pypi/flask

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.3

Affected versions

0.*

0.1

0.2

0.3

0.3.1

0.4

0.5

0.5.1

0.5.2

0.6

0.6.1

0.7

0.7.1

0.7.2

0.8

0.8.1

0.9

0.10

0.10.1

0.11

0.11.1

0.12

0.12.1

0.12.2

0.12.3

0.12.4

0.12.5

1.*

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

2.*

2.0.0rc1

2.0.0rc2

2.0.0

2.0.1

2.0.2

2.0.3

2.1.0

2.1.1

2.1.2

2.1.3

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.3.0

2.3.1

2.3.2

2.3.3

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.1.0

3.1.1

3.1.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-68rp-wp8r-4726/GHSA-68rp-wp8r-4726.json"