CVE-2026-54282

Name	CVE-2026-54282
Description	Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
starlette (PTS)	bullseye	0.14.1-1	vulnerable
	bookworm	0.26.1-1	vulnerable
	bookworm (security)	0.26.1-1+deb12u1	vulnerable
	trixie	0.46.1-3+deb13u1	vulnerable
	trixie (security)	0.46.1-3+deb13u2	vulnerable
	forky, sid	1.1.0-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
starlette	source	(unstable)	(unfixed)

Notes

https://github.com/Kludex/starlette/security/advisories/GHSA-jp82-jpqv-5vv3
https://github.com/Kludex/starlette/pull/3326
Fixed by: https://github.com/Kludex/starlette/commit/167b5850e809f38b27fbfed62d58bf6442855975 (1.3.0)