HTTP Fetch Vulnerability in Astro Web Framework Affecting Versions Pre-6.4.6
CVE-2026-54299

7.5HIGH

Key Information:

Vendor: Withastro
Status: Astro
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-54299?

The Astro web framework prior to version 6.4.6 is susceptible to an improper header validation vulnerability that could be exploited by an attacker. When Astro SSR applications are configured with prerendered error pages and encounter an error, the framework attempts to fetch the error pages using an HTTP request generated from the Host header of the incoming request. If the Host header is not properly validated against a list of permitted domains, this flaw allows a malicious actor to manipulate the request and potentially redirect it to an arbitrary host. This could lead to unauthorized access to sensitive information returned by the target host.

Affected Version(s)

astro < 6.4.6

References

https://github.com/withastro/astro/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54299 Data

JSON

Withastro

What is CVE-2026-54299?

Affected Version(s)

References

CVSS V3.1

Timeline