CVE-2026-48710

NameCVE-2026-48710
DescriptionStarlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6302-1
Debian Bugs1137375

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
starlette (PTS)bullseye0.14.1-1vulnerable
bookworm0.26.1-1vulnerable
bookworm (security)0.26.1-1+deb12u1fixed
trixie0.46.1-3+deb13u1vulnerable
trixie (security)0.46.1-3+deb13u2fixed
forky1.0.0-1vulnerable
sid1.1.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
starlettesourcebookworm0.26.1-1+deb12u1DSA-6302-1
starlettesourcetrixie0.46.1-3+deb13u2DSA-6302-1
starlettesource(unstable)1.1.0-11137375

Notes

https://x41-dsec.de/lab/advisories/x41-2026-002-starlette/
https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr
https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6 (1.0.1)
https://github.com/Kludex/starlette/pull/3279
Search for package or bug name: Reporting problems