CVE-2026-48817
Received Received - Intake
Method Spoofing in Starlette Framework

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an HTTPEndpoint subclass is registered through Route(...) without an explicit methods= argument, the route does not constrain the method and every method reaches the endpoint. If a non-standard HTTP method whose lowercased name matches an attribute on the endpoint subclass reaches the endpoint, that attribute is invoked as if it were a request handler. An attacker can use this to reach methods that were never meant to be HTTP handlers, such as internal helpers, without the authorization checks applied by the intended public handler. An application (including Starlette-based frameworks like FastAPI) is affected if it registers an HTTPEndpoint subclass via Route(...) without explicitly setting methods=, and that subclass includes extra methods named like non-standard HTTP verbs that take one request argument and return a response. This issue has been fixed in version 1.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-48817
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
encode starlette to 1.1.0 (exc)
encode starlette 1.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Starlette versions 1.0.1 and below. When dispatching a request, the HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute without restricting the lookup to a known set of HTTP verbs.

If an HTTPEndpoint subclass is registered through Route(...) without explicitly specifying allowed HTTP methods, the route does not constrain the method, allowing every method to reach the endpoint.

An attacker can send a non-standard HTTP method whose lowercased name matches an attribute on the endpoint subclass. This causes that attribute to be invoked as if it were a request handler, potentially reaching internal methods that were never meant to be HTTP handlers.

These internal methods may lack authorization checks, allowing unauthorized access to functionality.

The issue is fixed in Starlette version 1.1.0.

Mitigation Strategies

To mitigate this vulnerability, upgrade Starlette to version 1.1.0 or later where the issue is fixed.

Additionally, ensure that when registering an HTTPEndpoint subclass via Route(...), you explicitly set the methods= argument to restrict allowed HTTP methods.

Impact Analysis

This vulnerability can allow an attacker to invoke internal methods of an application that were not intended to be exposed as HTTP handlers.

Since these internal methods may not have proper authorization checks, an attacker could bypass security controls and perform unauthorized actions.

This could lead to information disclosure, unauthorized operations, or other security impacts depending on what the internal methods do.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48817. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart