Skip to main content

Flask 3.1.3

Release Date: February 18, 2026

Flask 3.1.3 has been released — a focused security maintenance release addressing a session handling vulnerability. Let's step back and look at where Flask has come and what this update means.

A Brief History of Flask's Security Posture

Remember when Flask 0.12 was just a lightweight wrapper around Werkzeug with minimal security tooling? The project has evolved significantly since those early days. What began in 2010 as an April Fools joke by Armin Ronacher has grown into one of the most widely deployed Python web frameworks, serving everything from tiny APIs to enterprise applications.

Flask 1.0 arrived in 2018 with a maturing security model. Version 2.0 brought async support in 2021. And now, with version 3.x, the focus has sharpened on hardening the framework against session-based attacks and ensuring the session system is auditable and predictable.

What Changed in Flask 3.1.3

This release is primarily a security maintenance release that addresses a subtle flaw in session access tracking. The change is minimal but important: the session object is now correctly marked as "accessed" for read-only operations such as in (key membership checks) and len (session length queries). Previously, these operations bypassed the access marker, which could allow certain session expiration bypass scenarios in edge cases.

  • Security fix (GHSA-68rp-wp8r-4726) — Session is now tracked as accessed for key membership and length operations
  • No breaking changes — This is a drop-in replacement for Flask 3.1.x users
  • Minimal diff — Only the session access tracking logic was modified

The Migration Arc

Flask 3.1.3 sits within the 3.1.x lineage that began in November 2024. For teams that have been following the upgrade path since Flask 3.0 (released September 2023), this is a straightforward update. The Flask core team has maintained strong backward compatibility throughout the 3.x lifecycle, making security patches easy to adopt.

If you're still on Flask 2.x, now is a good time to plan your upgrade. Flask 3.0 removed Python 3.8 support, and Flask 3.2 (currently in development) will drop Python 3.9. Staying current ensures you receive these important security fixes without delay.

Flask 3.1.3 is available now on PyPI. Upgrade with pip install --upgrade Flask and check your session handling if you rely on custom session backends.

What is New?

By continuing to use the site, you agree to the use of cookies.