SSRF Vulnerability in Starlette Affects Windows Deployments
CVE-2026-48818

7.5HIGH

Key Information:

Vendor

Kludex

Status
Starlette
Vendor
CVE Published:
17 June 2026

What is CVE-2026-48818?

A vulnerability has been identified in Starlette, a lightweight ASGI framework, affecting versions 1.0.1 and prior. When deployed on Windows, the StaticFiles module is susceptible to SSRF attacks. Exploiting this vulnerability could allow an attacker to craft a UNC path, triggering os.path.realpath and inadvertently establishing an outbound SMB connection. This occurs even when the system returns a 404 response, leading to the potential exposure of the service account's NTLMv2 credentials, which could be used for offline cracking or relay attacks. The vulnerability specifically impacts deployments with default follow_symlink set to False, but does not affect POSIX systems or configurations with follow_symlink set to True. The issue has been addressed in version 1.1.0, so updating is recommended.

Affected Version(s)

starlette < 1.1.0

References

https://github.com/Kludex/starlette/security/advisories/G...
x_refsource_CONFIRM
https://github.com/Kludex/starlette/pull/3287
x_refsource_MISC
https://github.com/Kludex/starlette/commit/fd53168a7767b6...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.