{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-48710","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-05-22T18:47:27.755Z","datePublished":"2026-05-26T21:54:54.393Z","dateUpdated":"2026-06-30T01:48:17.511Z"},"containers":{"cna":{"title":"Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks","problemTypes":[{"descriptions":[{"cweId":"CWE-444","lang":"en","description":"CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr","tags":["x_refsource_CONFIRM"],"url":"https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr"},{"name":"https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6","tags":["x_refsource_MISC"],"url":"https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6"},{"name":"https://badhost.org","tags":["x_refsource_MISC"],"url":"https://badhost.org"},{"name":"https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml","tags":["x_refsource_MISC"],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml"},{"name":"https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette","tags":["x_refsource_MISC"],"url":"https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette"},{"name":"https://www.secwest.net/starlette","tags":["x_refsource_MISC"],"url":"https://www.secwest.net/starlette"},{"name":"https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette","tags":["x_refsource_MISC"],"url":"https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette"}],"affected":[{"vendor":"Kludex","product":"starlette","versions":[{"version":"< 1.0.1","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-05-26T21:54:54.393Z"},"descriptions":[{"lang":"en","value":"Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope[\"server\"]` for malformed values."}],"source":{"advisory":"GHSA-86qp-5c8j-p5mr","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-27T14:22:19.241769Z","id":"CVE-2026-48710","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-27T14:26:57.893Z"}},{"affected":[{"cpes":["cpe:/a:redhat:ai_inference_server:3.3::el9"],"defaultStatus":"affected","product":"Red Hat AI Inference Server 3.3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.6::el9"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2.6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2.7::el9"],"defaultStatus":"affected","product":"Red Hat Ansible Automation Platform 2.7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6.18::el9"],"defaultStatus":"affected","product":"Red Hat Satellite 6.18","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6.19::el9"],"defaultStatus":"affected","product":"Red Hat Satellite 6.19","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:exploit_intelligence:0"],"defaultStatus":"affected","product":"Exploit Intelligence","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:migration_toolkit_applications:8"],"defaultStatus":"affected","product":"Migration Toolkit for Applications 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_lightspeed"],"defaultStatus":"affected","product":"OpenShift Lightspeed","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ai_inference_server:3"],"defaultStatus":"affected","product":"Red Hat AI Inference Server","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"affected","product":"Red Hat Satellite 6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ansible_automation_platform:2"],"defaultStatus":"unaffected","product":"Red Hat Ansible Automation Platform 2","vendor":"Red Hat"}],"datePublic":"2026-05-26T21:54:54.393Z","descriptions":[{"lang":"en","value":"A flaw was found in Starlette, a lightweight ASGI (Asynchronous Server Gateway Interface) framework. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP `Host` request header. This malformed header could cause the `request.url` to be incorrectly reconstructed, leading to a discrepancy with the actual requested path. Consequently, security restrictions enforced by middleware and endpoints that rely on `request.url` for validation could be bypassed, potentially allowing unauthorized access or actions."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Critical"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1289","description":"Improper Validation of Unsafe Equivalence in Input","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-48710"},{"name":"RHBZ#2481742","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2481742"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48710.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:30089"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:30088"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:24866"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:23346"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:22993"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:26226"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:22992"}],"solutions":[{"lang":"en","value":"RHSA-2026:30089: Red Hat AI Inference Server 3.3"},{"lang":"en","value":"RHSA-2026:30088: Red Hat AI Inference Server 3.3"},{"lang":"en","value":"RHSA-2026:24866: Red Hat Ansible Automation Platform 2.6"},{"lang":"en","value":"RHSA-2026:23346: Red Hat Ansible Automation Platform 2.7"},{"lang":"en","value":"RHSA-2026:22993: Red Hat Satellite 6.18"},{"lang":"en","value":"RHSA-2026:26226: Red Hat Satellite 6.18"},{"lang":"en","value":"RHSA-2026:22992: Red Hat Satellite 6.19"}],"timeline":[{"lang":"en","time":"2026-05-26T23:01:03.204Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-26T21:54:54.393Z","value":"Made public."}],"title":"starlette: Starlette: Security restriction bypass via malformed HTTP Host header","workarounds":[{"lang":"en","value":"Deploying an RFC-compliant reverse proxy (such as nginx, Apache, HAProxy, or Caddy) in front of the ASGI server will reject malformed Host headers before they reach the application. This is the most straightforward mitigation that does not require code changes.\n\nIf custom middleware is present, it should be updated to use `request.scope[\"path\"]` instead of `request.url.path` for any security decisions. The ASGI scope path is derived from the HTTP request line and is not influenced by the Host header, so it reflects the actual request target."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T01:48:17.511Z"}}]}}