Action not permitted
Modal body text goes here.
Modal Title
Modal Body
Details
Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actual request path. This inconsistent interpretation of HTTP requests may lead to issues such as authentication bypass when the authentication depends on the reconstructed URL’s path.
Impacted products
| Name | purl | starlette | pkg:pypi/starlette |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "starlette",
"purl": "pkg:pypi/starlette"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1.0",
"0.1.1",
"0.1.10",
"0.1.11",
"0.1.12",
"0.1.13",
"0.1.14",
"0.1.15",
"0.1.16",
"0.1.17",
"0.1.2",
"0.1.3",
"0.1.4",
"0.1.5",
"0.1.6",
"0.1.7",
"0.1.8",
"0.1.9",
"0.10.0",
"0.10.1",
"0.10.2",
"0.10.3",
"0.10.4",
"0.10.5",
"0.10.6",
"0.10.7",
"0.11.0",
"0.11.1",
"0.11.2",
"0.11.3",
"0.11.4",
"0.12.0",
"0.12.0b1",
"0.12.0b2",
"0.12.0b3",
"0.12.1",
"0.12.10",
"0.12.11",
"0.12.12",
"0.12.13",
"0.12.2",
"0.12.3",
"0.12.4",
"0.12.5",
"0.12.6",
"0.12.7",
"0.12.8",
"0.12.9",
"0.13.0",
"0.13.1",
"0.13.2",
"0.13.3",
"0.13.4",
"0.13.5",
"0.13.6",
"0.13.7",
"0.13.8",
"0.14.0",
"0.14.1",
"0.14.2",
"0.15.0",
"0.16.0",
"0.17.0",
"0.17.1",
"0.18.0",
"0.19.0",
"0.19.1",
"0.2.0",
"0.2.1",
"0.2.2",
"0.2.3",
"0.20.0",
"0.20.1",
"0.20.2",
"0.20.3",
"0.20.4",
"0.21.0",
"0.22.0",
"0.23.0",
"0.23.1",
"0.24.0",
"0.25.0",
"0.26.0",
"0.26.0.post1",
"0.26.1",
"0.27.0",
"0.28.0",
"0.29.0",
"0.3.0",
"0.3.1",
"0.3.2",
"0.3.3",
"0.3.4",
"0.3.5",
"0.3.6",
"0.3.7",
"0.30.0",
"0.31.0",
"0.31.1",
"0.32.0",
"0.32.0.post1",
"0.33.0",
"0.34.0",
"0.35.0",
"0.35.1",
"0.36.0",
"0.36.1",
"0.36.2",
"0.36.3",
"0.37.0",
"0.37.1",
"0.37.2",
"0.38.0",
"0.38.1",
"0.38.2",
"0.38.3",
"0.38.4",
"0.38.5",
"0.38.6",
"0.39.0",
"0.39.1",
"0.39.2",
"0.4.0",
"0.4.1",
"0.4.2",
"0.40.0",
"0.41.0",
"0.41.1",
"0.41.2",
"0.41.3",
"0.42.0",
"0.43.0",
"0.44.0",
"0.45.0",
"0.45.1",
"0.45.2",
"0.45.3",
"0.46.0",
"0.46.1",
"0.46.2",
"0.47.0",
"0.47.1",
"0.47.2",
"0.47.3",
"0.48.0",
"0.49.0",
"0.49.1",
"0.49.2",
"0.49.3",
"0.5.0",
"0.5.1",
"0.5.2",
"0.5.3",
"0.5.4",
"0.5.5",
"0.50.0",
"0.51.0",
"0.52.0",
"0.52.1",
"0.6.0",
"0.6.1",
"0.6.2",
"0.6.3",
"0.7.0",
"0.7.1",
"0.7.2",
"0.7.3",
"0.7.4",
"0.8.0",
"0.8.1",
"0.8.2",
"0.8.3",
"0.8.4",
"0.8.5",
"0.8.6",
"0.8.7",
"0.8.8",
"0.9.0",
"0.9.1",
"0.9.10",
"0.9.11",
"0.9.2",
"0.9.3",
"0.9.4",
"0.9.5",
"0.9.6",
"0.9.7",
"0.9.8",
"0.9.9",
"1.0.0",
"1.0.0rc1"
]
}
],
"aliases": [
"X41-2026-002",
"CVE-2026-48710",
"GHSA-86qp-5c8j-p5mr"
],
"details": "Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actual request path. This inconsistent interpretation of HTTP requests may lead to issues such as authentication bypass when the authentication depends on the reconstructed URL\u2019s path.",
"id": "PYSEC-2026-161",
"modified": "2026-05-22T13:11:38.659740Z",
"references": [
{
"type": "ARTICLE",
"url": "https://badhost.org"
},
{
"type": "ARTICLE",
"url": "https://www.secwest.net/starlette"
},
{
"type": "ARTICLE",
"url": "https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette/"
},
{
"type": "DETECTION",
"url": "https://badhost.org"
},
{
"type": "EVIDENCE",
"url": "https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr"
},
{
"type": "ADVISORY",
"url": "https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr"
},
{
"type": "ADVISORY",
"url": "https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette/"
},
{
"type": "FIX",
"url": "https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6"
}
],
"summary": "BadHost: Missing Host header validation poisons request.url.path, bypassing path-based security checks"
}
CVE-2026-48710 (GCVE-0-2026-48710)
Vulnerability from cvelistv5 – Published: 2026-05-26 21:54 – Updated: 2026-06-16 12:11
VLAI
EPSS
Title
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
Summary
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
10 references
| URL | Tags |
|---|---|
| https://github.com/Kludex/starlette/security/advi… | x_refsource_CONFIRM |
| https://github.com/Kludex/starlette/commit/764dab… | x_refsource_MISC |
| https://badhost.org | x_refsource_MISC |
| https://github.com/pypa/advisory-database/tree/ma… | x_refsource_MISC |
| https://ostif.org/disclosing-the-badhost-vulnerab… | x_refsource_MISC |
| https://www.secwest.net/starlette | x_refsource_MISC |
| https://www.x41-dsec.de/lab/advisories/x41-2026-0… | x_refsource_MISC |
| https://access.redhat.com/security/cve/CVE-2026-48710 | vdb-entryx_refsource_REDHAT |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
| https://www.cve.org/CVERecord?id=CVE-2026-48710 |
Impacted products
20 products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48710",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T14:22:19.241769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:26:57.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-tpu-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-cpu-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-spyre-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-rocm-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-cuda-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-cuda-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-rocm-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "ansible-automation-platform-25/lightspeed-chatbot-rhel8",
"product": "ansible_automation_platform-2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaii/vllm-gaudi-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaii/vllm-rocm-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-tpu-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaii/vllm-cuda-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "ansible-automation-platform-26/lightspeed-chatbot-rhel9",
"product": "ansible_automation_platform-2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-spyre-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaii/vllm-spyre-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "ansible-automation-platform-26/mcp-tools-rhel9",
"product": "ansible_automation_platform-2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaii/vllm-cpu-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "mta/mta-solution-server-rhel9",
"product": "mta-8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "exploit-intelligence-tech-preview/vulnerability-analysis-rhel9",
"product": "exploit-intelligence",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "openshift-lightspeed/lightspeed-ocp-rag-rhel9",
"product": "ols-1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaii/vllm-tpu-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-neuron-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaii/vllm-neuron-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "openshift-lightspeed/lightspeed-service-api-rhel9",
"product": "ols-1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-caikit-nlp-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-aws-cuda-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "ask-sre",
"product": "openshift-hosted-osd4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-azure-cuda-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-built-in-detector-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-gaudi-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-rocm-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/disk-image-cuda-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-gcp-cuda-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-cuda-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/iop-advisor-engine-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhel-cla/rlsapi-rhel10",
"product": "rhel-cla-0",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-azure-rocm-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-vllm-cuda-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-guardrails-detector-huggingface-runtime-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-llama-stack-core-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-feature-server-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-vllm-gaudi-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-storage-initializer-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-caikit-tgis-serving-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-guardrails-detector-huggingface-runtime-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-guardrails-detector-huggingface-runtime-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-controller-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-feature-server-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-agent-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-router-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-vllm-gaudi-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-automl-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-mlflow-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-llama-stack-core-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-built-in-detector-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-built-in-detector-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-vllm-rocm-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-feature-server-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-mlserver-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-trustyai-nemo-guardrails-server-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-training-cuda128-torch29-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-storage-initializer-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-trustyai-nemo-guardrails-server-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-storage-initializer-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-training-cuda128-torch29-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-router-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-agent-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-th06-rocm64-torch291-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-controller-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-autogluon-server-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-vllm-gaudi-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-th06-cuda130-torch210-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-llm-d-kv-cache-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-mlflow-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-mlserver-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-th06-cpu-torch210-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-llama-stack-core-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "aap-installers-rag-content",
"product": "services-ansible-lightspeed-chatbot",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/iop-vulnerability-engine-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/iop-vmaas-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/foreman-mcp-server-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/iop-host-inventory-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/iop-host-inventory-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/foreman-mcp-server-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "aap-rag-content",
"product": "services-ansible-lightspeed-chatbot",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "ansible-chatbot-stack",
"product": "services-ansible-lightspeed-chatbot",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/iop-vulnerability-engine-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/iop-vmaas-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "nexus",
"product": "services-ansible-nexus",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "cloudservices/insights-inventory",
"product": "services-inventory",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "insights-host-inventory",
"product": "services-inventory",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "ansible-mcp-tools",
"product": "services-ansible-lightspeed-chatbot",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "cloudservices/rbac",
"product": "services-management-platform",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "digital-roadmap-backend",
"product": "services-digital-roadmap",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "automation-analytics-backend",
"product": "services-ansible-on-clouds",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "insights-rbac",
"product": "services-management-platform",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "unknown@sha256:456a1542e13586a1c2cf1bbbb146124ca53041f5b9680becbebe10095afe881f/unknown@sha256:456a1542e13586a1c2cf1bbbb146124ca53041f5b9680becbebe10095afe881f",
"product": "services-ansible-lightspeed-chatbot",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "okp-mcp",
"product": "services-rhel-lightspeed",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "google-lightspeed-agent",
"product": "services-lightspeed-agent-google-cloud",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "cloudservices/vulnerability-engine-app",
"product": "services-vulnerability-engine",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "vmaas",
"product": "services-vulnerability-engine",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "vulnerability-engine",
"product": "services-vulnerability-engine",
"vendor": "Red Hat"
}
],
"datePublic": "2026-05-26T21:54:54.393Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Starlette, a lightweight ASGI (Asynchronous Server Gateway Interface) framework. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP `Host` request header. This malformed header could cause the `request.url` to be incorrectly reconstructed, leading to a discrepancy with the actual requested path. Consequently, security restrictions enforced by middleware and endpoints that rely on `request.url` for validation could be bypassed, potentially allowing unauthorized access or actions."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Critical"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1289",
"description": "CWE-1289",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T12:11:19.636Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-48710"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48710.json"
},
{
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48710"
},
{
"url": "https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6"
},
{
"url": "https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette"
},
{
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml"
},
{
"url": "https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette"
},
{
"url": "https://badhost.org"
},
{
"url": "https://www.secwest.net/starlette"
},
{
"url": "https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T23:01:03.204Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-26T21:54:54.393Z",
"value": "Made public."
}
],
"title": "Starlette: Security restriction bypass via malformed HTTP Host header",
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 0.1.0"
}
}
],
"cna": {
"affected": [
{
"product": "starlette",
"vendor": "Kludex",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 \u00a73.2 / RFC 3986 \u00a73.2.2 when constructing `request.url` and falls back to `scope[\"server\"]` for malformed values."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T21:54:54.393Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr"
},
{
"name": "https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6"
},
{
"name": "https://badhost.org",
"tags": [
"x_refsource_MISC"
],
"url": "https://badhost.org"
},
{
"name": "https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml"
},
{
"name": "https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette",
"tags": [
"x_refsource_MISC"
],
"url": "https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette"
},
{
"name": "https://www.secwest.net/starlette",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.secwest.net/starlette"
},
{
"name": "https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette"
}
],
"source": {
"advisory": "GHSA-86qp-5c8j-p5mr",
"discovery": "UNKNOWN"
},
"title": "Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48710",
"datePublished": "2026-05-26T21:54:54.393Z",
"dateReserved": "2026-05-22T18:47:27.755Z",
"dateUpdated": "2026-06-16T12:11:19.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
GHSA-86QP-5C8J-P5MR
Vulnerability from github – Published: 2026-06-04 13:15 – Updated: 2026-06-04 13:15
VLAI
Summary
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
Details
Summary
In affected versions, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header could make request.url.path differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on request.url (rather than the raw scope path) could therefore be bypassed.
Details
When a client requests http://example.com/foo, it sends:
GET /foo HTTP/1.1
Host: example.com
Affected versions reconstructed the URL by concatenating http://{host}{path} and re-parsing the result. The Host value is only valid as a uri-host [ ":" port ] per RFC 9112 §3.2, where uri-host follows the restricted host grammar of RFC 3986 §3.2.2. When it contains characters outside that grammar - notably /, ?, or # - those characters move the path/query/fragment boundaries during re-parsing, so the parsed request.url.path no longer matches the path the server actually received. For example:
GET /foo HTTP/1.1
Host: example.com/abc?bar=
reconstructs to http://example.com/abc?bar=/foo, whose parsed path is /abc - even though routing used the real path /foo. The router still dispatches to /foo and the endpoint executes, but any middleware or code that reads request.url.path sees /abc, so path-based authorization checks can be bypassed.
Impact
Any application running an affected version that relies on request.url (or request.url.path) for security-sensitive decisions is affected. The most common case is middleware that gates access to certain path prefixes based on request.url.path. Deployments fronted by a proxy or load balancer are mitigated only if that proxy rejects or normalizes the malformed Host header before forwarding and the application does not trust attacker-controlled host headers (e.g. X-Forwarded-Host) elsewhere.
Mitigation
Upgrade to a patched version, which validates the Host header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing request.url and falls back to scope["server"] for malformed values.
Severity
6.5 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.0"
},
"package": {
"ecosystem": "PyPI",
"name": "starlette"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48710"
],
"database_specific": {
"cwe_ids": [
"CWE-444"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-04T13:15:17Z",
"nvd_published_at": "2026-05-26T22:16:44Z",
"severity": "MODERATE"
},
"details": "### Summary\nIn affected versions, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed.\n\n### Details\nWhen a client requests `http://example.com/foo`, it sends:\n\n```http\nGET /foo HTTP/1.1\nHost: example.com\n```\n\nAffected versions reconstructed the URL by concatenating `http://{host}{path}` and re-parsing the result. The `Host` value is only valid as a `uri-host [ \":\" port ]` per [RFC 9112 \u00a73.2](https://www.rfc-editor.org/rfc/rfc9112.html#section-3.2-6), where `uri-host` follows the restricted `host` grammar of [RFC 3986 \u00a73.2.2](https://www.rfc-editor.org/rfc/rfc3986.html#section-3.2.2). When it contains characters outside that grammar - notably `/`, `?`, or `#` - those characters move the path/query/fragment boundaries during re-parsing, so the parsed `request.url.path` no longer matches the path the server actually received. For example:\n\n```http\nGET /foo HTTP/1.1\nHost: example.com/abc?bar=\n```\n\nreconstructs to `http://example.com/abc?bar=/foo`, whose parsed `path` is `/abc` - even though routing used the real path `/foo`. The router still dispatches to `/foo` and the endpoint executes, but any middleware or code that reads `request.url.path` sees `/abc`, so path-based authorization checks can be bypassed.\n\n### Impact\nAny application running an affected version that relies on `request.url` (or `request.url.path`) for security-sensitive decisions is affected. The most common case is middleware that gates access to certain path prefixes based on `request.url.path`. Deployments fronted by a proxy or load balancer are mitigated only if that proxy rejects or normalizes the malformed `Host` header before forwarding and the application does not trust attacker-controlled host headers (e.g. `X-Forwarded-Host`) elsewhere.\n\n### Mitigation\nUpgrade to a patched version, which validates the `Host` header against the grammar of [RFC 9112 \u00a73.2](https://www.rfc-editor.org/rfc/rfc9112.html#section-3.2-6) / [RFC 3986 \u00a73.2.2](https://www.rfc-editor.org/rfc/rfc3986.html#section-3.2.2) when constructing `request.url` and falls back to `scope[\"server\"]` for malformed values.",
"id": "GHSA-86qp-5c8j-p5mr",
"modified": "2026-06-04T13:15:18Z",
"published": "2026-06-04T13:15:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48710"
},
{
"type": "WEB",
"url": "https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6"
},
{
"type": "WEB",
"url": "https://badhost.org"
},
{
"type": "PACKAGE",
"url": "https://github.com/Kludex/starlette"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml"
},
{
"type": "WEB",
"url": "https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette"
},
{
"type": "WEB",
"url": "https://www.secwest.net/starlette"
},
{
"type": "WEB",
"url": "https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…