CVE-2026-48710 Overview
CVE-2026-48710 is a security bypass vulnerability in Starlette, a lightweight Python ASGI framework widely used as the foundation for FastAPI and similar web stacks. Versions prior to 1.0.1 fail to validate the HTTP Host request header before using it to reconstruct request.url. Because Starlette's router relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header can cause request.url.path to diverge from the path that was actually requested. Middleware and endpoints that enforce security restrictions based on request.url rather than the raw ASGI scope path can be bypassed. The issue is tracked under [CWE-444] (Inconsistent Interpretation of HTTP Requests).
Critical Impact
Attackers can craft malformed Host headers to bypass URL-based access controls in middleware, accessing routes that should be restricted.
Affected Products
- Starlette ASGI framework versions prior to 1.0.1
- Python web applications built on Starlette
- FastAPI and other frameworks that embed Starlette as a dependency
Discovery Timeline
- 2026-05-26 - CVE-2026-48710 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-48710
Vulnerability Analysis
Starlette exposes two representations of the requested URL. The ASGI scope dictionary carries the raw path as parsed from the wire, while request.url is a convenience object rebuilt at access time. The reconstruction concatenates the scheme, the value of the Host header, and the raw path without validating that the Host header conforms to RFC 9112 §3.2 or RFC 3986 §3.2.2 grammar.
When an attacker supplies a malformed Host header containing characters such as additional path separators, query delimiters, or fragment markers, the parsed request.url.path no longer matches the path the router used to dispatch the request. Any middleware that inspects request.url.path to decide whether to allow the request, including admin gating, CSRF checks, or rate limiting, sees a different value than the endpoint that ultimately executes.
Root Cause
The defect is an HTTP request interpretation inconsistency [CWE-444] in starlette/datastructures.py. The URL construction logic trusts the Host header verbatim. Two components of the same application reach different conclusions about the same request, which is the canonical condition for request smuggling and security check evasion.
Attack Vector
Exploitation requires only network access to the target application. The attacker issues an HTTP request to a permitted path while supplying a crafted Host header that, when concatenated into a URL, produces a request.url.path referencing a protected resource, or vice versa. No authentication or user interaction is required.
# Patch excerpt from starlette/datastructures.py
# Source: https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6
from __future__ import annotations
import re
from collections.abc import ItemsView, Iterable, Iterator, KeysView, Mapping, MutableMapping, Sequence, ValuesView
from shlex import shlex
from typing import Any, BinaryIO, NamedTuple, TypeVar, cast
from urllib.parse import SplitResult, parse_qsl, urlencode, urlsplit
from starlette.concurrency import run_in_threadpool
The fix introduces the re module to validate the Host header against RFC 9112 §3.2 and RFC 3986 §3.2.2 grammar. Malformed values trigger a fallback to scope["server"] when constructing request.url. See the GitHub Security Advisory GHSA-86qp-5c8j-p5mr and the X41-Dsec advisory for full technical details.
Detection Methods for CVE-2026-48710
Indicators of Compromise
- HTTP requests with Host headers containing reserved URL characters such as /, ?, #, or whitespace.
- Host header values exceeding expected length or containing multiple colons outside the standard host:port form.
- Access log entries where the request path and the host-derived URL components disagree after normalization.
Detection Strategies
- Compare the raw ASGI scope["path"] against request.url.path in application logs and alert on mismatches.
- Configure upstream reverse proxies, WAFs, or load balancers to reject requests whose Host header does not match the RFC 9112 host grammar.
- Add structured logging for the Host header and downstream authorization decisions to enable retroactive hunting.
Monitoring Recommendations
- Track 200-response access to administrative endpoints originating from requests with unusual Host values.
- Monitor dependency manifests (requirements.txt, pyproject.toml, poetry.lock) for Starlette versions earlier than 1.0.1.
- Alert on FastAPI or Starlette applications that have not been redeployed since the patch publication date of 2026-05-26.
How to Mitigate CVE-2026-48710
Immediate Actions Required
- Upgrade Starlette to version 1.0.1 or later across all production and staging environments.
- Audit middleware and route guards that read request.url and refactor them to consume the raw scope["path"] instead.
- Re-test access control assertions after upgrading to confirm that protected routes remain inaccessible with malformed Host headers.
Patch Information
The fix is delivered in Starlette 1.0.1 via commit 764dab0. The patch validates the Host header against the grammar of RFC 9112 §3.2 and RFC 3986 §3.2.2 when constructing request.url, and falls back to scope["server"] when the header is malformed. Additional context is available in the OSTIF disclosure post and the Python Advisory Database entry PYSEC-2026-161.
Workarounds
- Place a reverse proxy such as NGINX or Envoy in front of the application and reject requests with non-conforming Host headers.
- Rewrite security middleware to authorize on scope["path"] and the raw scope["headers"] host entry rather than request.url.
- Pin the dependency to a fixed version in lockfiles to prevent unpatched deployments from regressing.
# Upgrade Starlette to the patched release
pip install --upgrade 'starlette>=1.0.1'
# Verify the installed version
python -c "import starlette; print(starlette.__version__)"
# Example NGINX guard rejecting malformed Host headers
# Place in the server block fronting the ASGI application
if ($http_host !~* "^[A-Za-z0-9.\-]+(:[0-9]+)?$") {
return 400;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
