CVE-2026-48710
Host Header Validation Bypass in Starlette
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| encode | starlette | to 1.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows bypassing security restrictions based on the reconstructed request URL due to improper validation of the HTTP Host header. Such bypasses could potentially lead to unauthorized access or information disclosure.
While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, any security bypass that could lead to unauthorized access or data leakage may impact compliance with these regulations, which require protection of personal and sensitive data.
Therefore, organizations using affected versions of Starlette should upgrade to version 1.0.1 or later to ensure proper validation and reduce the risk of non-compliance due to security control bypass.
Can you explain this vulnerability to me?
This vulnerability exists in Starlette versions prior to 1.0.1 where the HTTP Host request header was not validated before being used to reconstruct the request URL.
Because the routing algorithm uses the raw HTTP path but the request URL is rebuilt from the Host header, a malformed Host header could cause the reconstructed request URL path to differ from the actual requested path.
This discrepancy allows middleware and endpoints that rely on the reconstructed request URL for security checks to be bypassed, potentially allowing unauthorized access or actions.
The issue is fixed in Starlette version 1.0.1 and later, where the Host header is validated according to RFC 9112 Β§3.2 and RFC 3986 Β§3.2.2, and falls back to a safe server value if the Host header is malformed.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to bypass security restrictions that rely on the reconstructed request URL.
Since the routing uses the raw path but security checks use the potentially manipulated request URL, an attacker can craft a malformed Host header to evade access controls or other security mechanisms.
This could lead to unauthorized access to protected resources or execution of actions that should have been blocked.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should upgrade Starlette to version 1.0.1 or later.
Version 1.0.1 and above validate the HTTP Host header against the grammar of RFC 9112 Β§3.2 and RFC 3986 Β§3.2.2 when constructing request.url, and fall back to scope["server"] for malformed values, preventing the bypass.