CVE-2026-48710
Analyzed Analyzed - Analysis Complete
Host Header Validation Bypass in Starlette

Publication date: 2026-05-26

Last updated on: 2026-06-03

Assigner: GitHub, Inc.

Description
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 Β§3.2 / RFC 3986 Β§3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-06-03
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-48710
EUVD
EUVD-2026-32016
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
encode starlette From 0.8.3 (inc) to 1.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows bypassing security restrictions based on the reconstructed request URL due to improper validation of the HTTP Host header. Such bypasses could potentially lead to unauthorized access or information disclosure.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, any security bypass that could lead to unauthorized access or data leakage may impact compliance with these regulations, which require protection of personal and sensitive data.

Therefore, organizations using affected versions of Starlette should upgrade to version 1.0.1 or later to ensure proper validation and reduce the risk of non-compliance due to security control bypass.

Executive Summary

This vulnerability exists in Starlette versions prior to 1.0.1 where the HTTP Host request header was not validated before being used to reconstruct the request URL.

Because the routing algorithm uses the raw HTTP path but the request URL is rebuilt from the Host header, a malformed Host header could cause the reconstructed request URL path to differ from the actual requested path.

This discrepancy allows middleware and endpoints that rely on the reconstructed request URL for security checks to be bypassed, potentially allowing unauthorized access or actions.

The issue is fixed in Starlette version 1.0.1 and later, where the Host header is validated according to RFC 9112 Β§3.2 and RFC 3986 Β§3.2.2, and falls back to a safe server value if the Host header is malformed.

Impact Analysis

This vulnerability can impact you by allowing attackers to bypass security restrictions that rely on the reconstructed request URL.

Since the routing uses the raw path but security checks use the potentially manipulated request URL, an attacker can craft a malformed Host header to evade access controls or other security mechanisms.

This could lead to unauthorized access to protected resources or execution of actions that should have been blocked.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade Starlette to version 1.0.1 or later.

Version 1.0.1 and above validate the HTTP Host header against the grammar of RFC 9112 Β§3.2 and RFC 3986 Β§3.2.2 when constructing request.url, and fall back to scope["server"] for malformed values, preventing the bypass.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48710. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart