CVE-2026-48818 Kludex CVE debrief

Who should care

This vulnerability affects developers and administrators using Starlette version 1.0.1 or earlier on Windows systems, especially those using default deployments with `follow_symlink=False`. Frameworks built on Starlette, such as FastAPI, are also impacted. Users of these systems should prioritize upgrading to version 1.1.0 or applying mitigations to prevent exploitation.

Technical summary

The vulnerability lies in the StaticFiles feature of Starlette on Windows. When a UNC path (e.g., `//attacker.com/share`) is provided, `os.path.realpath` may initiate an outbound SMB connection before the path is rejected, potentially exposing the service account's NTLMv2 credentials. This issue arises in default deployments where `follow_symlink=False`, which is the default setting. The vulnerability is characterized by the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. CWE-918 (Server-Side Request Forgery) is associated with this vulnerability.

Defensive priority

High

Recommended defensive actions

• Upgrade Starlette to version 1.1.0 or later.
• If upgrading is not feasible, configure deployments to use `follow_symlink=True`.
• Implement network restrictions to limit outbound SMB connections.
• Monitor for suspicious SMB connections from the service account.
• Consider using alternative file serving mechanisms that are not vulnerable to SSRF.
• Apply principle of least privilege to the service account to minimize potential damage.

Evidence notes

The information provided is based on the CVE record and NVD details. The vulnerability was published on June 17, 2026, and last modified on the same day. The CVSS score and vector are provided by the NVD. Fixes and advisories are available on the Starlette GitHub repository.

Official resources