CVE-2026-48710

May 26, 2026, 10:16 p.m.

6.5
Medium

Description

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.

Product(s) Impacted

Vendor Product Versions
Encode
  • Starlette
  • 1.0.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a encode starlette 1.0.1 / / / / / / /

References

https://badhost.org
https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6
https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr
https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml
https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette
https://www.secwest.net/starlette
https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette

Tags

[email protected]
CWE-444
2026-05-26
CVE-2026-48710

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

    View Vector String

Timeline

Published: May 26, 2026, 10:16 p.m.
Last Modified: May 26, 2026, 10:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.