Improper Validation in Starlette Framework Affects URL Rebuilding
CVE-2026-48710

6.5MEDIUM

Key Information:

Vendor

Kludex

Status
Starlette
Vendor
CVE Published:
26 May 2026

What is CVE-2026-48710?

A vulnerability exists in the Starlette ASGI framework where the HTTP 'Host' request header is not properly validated prior to its use in reconstructing the 'request.url'. This flaw may allow an attacker to manipulate the reconstructed URL, thereby bypassing security measures implemented on middleware and endpoints that rely on the 'request.url'. The issue arises because the routing algorithm utilizes the original HTTP path, which could lead to discrepancies in the actual requested path. Users are urged to upgrade to Starlette version 1.0.1 or higher, where the 'Host' header is validated against established RFC standards to prevent such issues.

Affected Version(s)

starlette < 1.0.1

References

https://github.com/Kludex/starlette/security/advisories/G...
x_refsource_CONFIRM
https://github.com/Kludex/starlette/commit/764dab0dcfb903...
x_refsource_MISC
https://badhost.org
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.