Description
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
Published: 2026-05-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Starlette, a lightweight ASGI framework, had an omission where the HTTP Host header was used without validation to rebuild request.url. Because the routing logic depends on request.url.path, a crafted Host header could make that path differ from the actual HTTP path, allowing middleware or endpoints that enforce security based on request.url to be bypassed. This leads to a breach of intended access controls without requiring code execution or elevated privileges.

Affected Systems

The vulnerability affects the Kludex starlette framework in all versions prior to 1.0.1. Users running those older releases are susceptible because the framework does not validate the Host header against RFC 9112 or RFC 3986 before reconstructing the URL.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of below 1% suggests a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through any network channel that can manipulate the Host header to convey a malicious request. Exploitation requires the ability to send crafted HTTP requests to an application using an affected Starlette version; no additional foothold is required beyond the ability to affect the HTTP traffic in transit or at the server.

Generated by OpenCVE AI on May 28, 2026 at 04:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Starlette to version 1.0.1 or newer, which validates the Host header and falls back to the server scope for malformed values.
  • If upgrading is not immediately possible, employ a reverse proxy or middleware that rejects or normalizes malformed Host headers according to RFC 9112 and RFC 3986.
  • Implement monitoring or logging for anomalous Host header values to detect attempted bypasses.

Generated by OpenCVE AI on May 28, 2026 at 04:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6302-1 starlette security update
Github GHSA Github GHSA GHSA-86qp-5c8j-p5mr Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
History

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
References

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Encode
Encode starlette
CPEs cpe:2.3:a:encode:starlette:*:*:*:*:*:python:*:*
Vendors & Products Encode
Encode starlette

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1289
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 27 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Kludex
Kludex starlette
Vendors & Products Kludex
Kludex starlette

Tue, 26 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
Title Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Encode Starlette
Kludex Starlette
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-16T12:11:19.636Z

Reserved: 2026-05-22T18:47:27.755Z

Link: CVE-2026-48710

cve-icon Vulnrichment

Updated: 2026-06-16T12:11:19.636Z

cve-icon NVD

Status : Modified

Published: 2026-05-26T22:16:44.020

Modified: 2026-06-16T13:16:35.400

Link: CVE-2026-48710

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-26T21:54:54Z

Links: CVE-2026-48710 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:45:07Z

Weaknesses
  • CWE-1289

    Improper Validation of Unsafe Equivalence in Input

  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')