CVE-2026-48710 Kludex CVE debrief

Who should care

Organizations running Starlette-based applications with security middleware or endpoint authorization logic; developers implementing path-based access controls in ASGI applications; security teams reviewing Python web framework deployments

Technical summary

The vulnerability stems from Starlette's URL reconstruction logic, which used the unvalidated HTTP Host header to build `request.url` while the routing algorithm relied on the raw HTTP path. This architectural inconsistency meant that a malformed Host header could cause `request.url.path` to diverge from the actual requested path. Security middleware and endpoints performing authorization, rate limiting, or other access controls based on `request.url` would evaluate a different path than the one routed to, enabling bypass attacks. The fix implements strict Host header validation per RFC 9112 §3.2 and RFC 3986 §3.2.2, with fallback to `scope['server']` when validation fails, ensuring URL reconstruction integrity.

Defensive priority

medium

Recommended defensive actions

• Upgrade Starlette to version 1.0.1 or later
• Audit middleware and endpoints that apply security restrictions based on request.url
• Replace request.url-based security checks with raw scope['path'] or scope['raw_path'] where path integrity is critical
• Review reverse proxy and load balancer configurations to ensure Host header sanitization
• Monitor application logs for malformed Host header requests as potential exploitation indicators

Evidence notes

Official CVE record published 2026-05-26. GitHub Security Advisory GHSA-86qp-5c8j-p5mr confirms affected versions and fix commit. Multiple independent security research organizations (OSTIF, X41 D-Sec, SecWest) published coordinated disclosure materials. Fix commit 764dab0dcfb9033d75442d7a359645c9f94648c6 validates Host header grammar per RFC specifications.

Official resources