CVE-2026-48710

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-48710
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-48710.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-48710
Aliases
Downstream
Related
Published
2026-05-26T21:54:54.393Z
Modified
2026-06-18T03:56:34.154870108Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
Details

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header could make request.url.path differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on request.url (rather than the raw scope path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the Host header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing request.url and falls back to scope["server"] for malformed values.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-444"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48710.json"
}
References

Affected packages

Git / github.com/kludex/starlette

Affected ranges

Type
GIT
Repo
https://github.com/kludex/starlette
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
48f8e331b23ca692f4713ac1f370bff1b5cd034c
Fixed
764dab0dcfb9033d75442d7a359645c9f94648c6
Database specific 
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.1"
        }
    ]
}

Affected versions

0.*
0.1.0
0.1.1
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.10.0
0.10.1
0.10.4
0.11.1
0.11.2
0.11.3
0.11.4
0.12.0
0.12.0.b1
0.12.0.b2
0.12.0.b3
0.12.11
0.12.12
0.12.13
0.12.2
0.12.3
0.12.4
0.12.5
0.12.6
0.12.7
0.12.8
0.12.9
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.13.6
0.13.7
0.13.8
0.14.0
0.14.1
0.14.2
0.15.0
0.16.0
0.17.0
0.17.1
0.18.0
0.19.0
0.19.1
0.2.1
0.2.2
0.2.3
0.20.0
0.20.1
0.20.2
0.20.3
0.20.4
0.21.0
0.22.0
0.23.0
0.23.1
0.24.0
0.25.0
0.26.0
0.26.0.post1
0.26.1
0.27.0
0.28.0
0.29.0
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.30.0
0.31.0
0.31.1
0.32.0
0.32.0.post1
0.33.0
0.34.0
0.35.0
0.35.1
0.36.0
0.36.1
0.36.2
0.36.3
0.37.0
0.37.1
0.37.2
0.38.0
0.38.1
0.38.2
0.38.3
0.38.4
0.38.5
0.38.6
0.39.0
0.39.1
0.39.2
0.4.0
0.4.1
0.4.2
0.40.0
0.41.0
0.41.1
0.41.2
0.41.3
0.42.0
0.43.0
0.44.0
0.45.0
0.45.1
0.45.2
0.45.3
0.46.0
0.46.1
0.46.2
0.47.0
0.47.1
0.47.2
0.47.3
0.48.0
0.49.0
0.49.1
0.49.2
0.49.3
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.50.0
0.51.0
0.52.0
0.52.1
0.6.1
0.6.2
0.6.3
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.9.0
0.9.1
0.9.10
0.9.11
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
1.*
1.0.0
1.0.0rc1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-48710.json"