CVE-2026-48818

NameCVE-2026-48818
DescriptionStarlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
starlette (PTS)bullseye0.14.1-1fixed
bookworm0.26.1-1fixed
bookworm (security)0.26.1-1+deb12u1fixed
trixie0.46.1-3+deb13u1fixed
trixie (security)0.46.1-3+deb13u2fixed
forky, sid1.1.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
starlettesource(unstable)(not affected)

Notes

- starlette <not-affected> (Only affects Starlette on Windows)
https://github.com/Kludex/starlette/security/advisories/GHSA-wqp7-x3pw-xc5r
https://github.com/Kludex/starlette/pull/3287
Fixed by: https://github.com/Kludex/starlette/commit/fd53168a7767b6b55ba5af787fd88f49e33cabc5 (1.1.0)
Search for package or bug name: Reporting problems