Vulnerability Report

CVE-2026-48710

Title: Host Header Validation Bypass in Starlette

Other

Proof Of Concept

PoC Available for CVE-2026-48710

CWE Category CWE-444

Published Date May 26, 2026

Modified Date Jun 16, 2026

Exploit Status Available

Score 6.5 CVSS v3.1

Exploit Probability (EPSS)

1.00%

Vulnerability Summary

CVE-2026-48710: Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.

Impacted Vendors

encode 1

Reference Links

https://badhost.org https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6 https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette https://www.secwest.net/starlette https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

6.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

6.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v3.1

Source Entity 0b0ca135-0b70-47e7-9f44-1890c2a1c46c

Severity MEDIUM

6.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2026-48710 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/xtremebeing/starlette-host-header-lab

View Code

GitHub https://github.com/eris-ths/supply-chain-guard

View Code

June 16, 2026 MODIFIED

Vulnerability data updated via NVD.

June 03, 2026 MODIFIED

Vulnerability data updated via NVD.

May 29, 2026 MODIFIED

Vulnerability data updated via NVD.

May 26, 2026 MODIFIED

Vulnerability data updated via NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Stack

No specific products linked.