CVE-2026-48710
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
In short
Starlette didn't properly validate the HTTP Host header, allowing attackers to craft malicious requests that make the URL path appear different from what was actually requested. This could bypass security checks that rely on the URL path.
Technical detail
The vulnerability exists in Starlette versions before 1.0.1 where the Host header is used to reconstruct request.url without RFC 9112/3986 validation. An attacker can send a malformed Host header to cause request.url.path to diverge from the actual routing path in scope, allowing bypass of path-based security middleware and endpoint restrictions that check request.url instead of raw scope values.
Summary generated and translated by AI from the official description.
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected products
Kludex · starlettepublic PoCs found — 3
githubgithub.com/eris-ths/supply-chain-guard★ 3githubgithub.com/xtremebeing/starlette-host-header-lab★ 1githubgithub.com/Bhanunamikaze/BadHost-CVE-2026-48710-Exploit★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://access.redhat.com/security/cve/CVE-2026-48710https://badhost.orghttps://bugzilla.redhat.com/show_bug.cgi?id=2481742https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mrhttps://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yamlhttps://ostif.org/disclosing-the-badhost-vulnerability-in-starlettehttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48710.jsonhttps://www.secwest.net/starlettehttps://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette