PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48817 Kludex CVE debrief

CVE-2026-48817 is a medium-severity vulnerability in Starlette, a lightweight ASGI framework. The issue allows attackers to invoke internal helper methods not intended as HTTP handlers due to unrestricted HTTP method handling. This occurs when an HTTPEndpoint subclass is registered without explicitly setting the 'methods' parameter, enabling non-standard HTTP methods to reach the endpoint. Affected applications include those using Starlette-based frameworks like FastAPI. The vulnerability has been fixed in version 1.1.0. Developers should update to the latest version and review their code for potential impacts. The CVSS score for this vulnerability is 5.3, indicating a medium severity level.

Vendor
Kludex
Product
starlette
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-22
Advisory published
2026-06-17
Advisory updated
2026-06-22

Who should care

Developers using Starlette (versions 1.0.1 and below) or Starlette-based frameworks like FastAPI should be aware of this vulnerability. They should check if their applications register HTTPEndpoint subclasses without explicitly setting the 'methods' parameter and take necessary actions to secure their applications.

Technical summary

The vulnerability in Starlette arises from how HTTPEndpoint handles HTTP methods. When dispatching a request, it selects the handler by lowercasing the HTTP method and looking it up as an attribute without restricting the lookup to known HTTP verbs. If a non-standard HTTP method matches an attribute on the endpoint subclass, it is invoked as if it were a request handler. This can lead to unauthorized access to internal helper methods without proper authorization checks. The issue is mitigated in version 1.1.0, where the handling of HTTP methods has been improved.

Defensive priority

Medium

Recommended defensive actions

  • Update Starlette to version 1.1.0 or later.
  • Review code for HTTPEndpoint subclasses registered without explicit 'methods' parameters.
  • Ensure that internal helper methods are not accessible via HTTP requests.
  • Implement proper authorization checks for all request handlers.
  • Monitor applications for any unusual or unauthorized access patterns.

Evidence notes

The information provided is based on the CVE record and details from the Starlette project. The CVE was published on 2026-06-17 and modified on 2026-06-18. The vulnerability has been fixed in Starlette version 1.1.0.

Official resources

public