CVE-2026-48818
Modified Modified - Updated After Analysis

StaticFiles SSRF Vulnerability in Starlette on Windows

Vulnerability report for CVE-2026-48818, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-30
Generated
2026-07-08
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
encode starlette to 1.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to cause the service to initiate an outbound SMB connection, potentially exposing the service account’s NTLMv2 credentials for offline cracking or relay attacks. Such credential exposure could lead to unauthorized access to sensitive data.

Exposure of credentials and potential unauthorized access could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data and mandate controls to prevent unauthorized access.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.

Executive Summary

This vulnerability affects Starlette versions 1.0.1 and earlier on Windows systems when using StaticFiles. It is a Server-Side Request Forgery (SSRF) issue where an attacker can use a UNC path like \\attacker.com\share to trigger an outbound SMB connection. This happens because os.path.realpath initiates the connection before rejecting the path, which can expose the service account's NTLMv2 credentials. These credentials can then be captured for offline cracking or relay attacks. The vulnerability occurs even though the HTTP response is only a 404 error.

The issue affects default deployments with follow_symlink set to False, including frameworks built on Starlette such as FastAPI. POSIX systems and configurations with follow_symlink set to True are not affected. The vulnerability was fixed in Starlette version 1.1.0.

Impact Analysis

This vulnerability can lead to the exposure of the service account's NTLMv2 credentials through outbound SMB connections initiated by the vulnerable application. An attacker can capture these credentials and use them for offline cracking or relay attacks, potentially gaining unauthorized access to network resources or escalating privileges.

Since the vulnerability occurs even when the HTTP response is a 404 error, it may be difficult to detect through normal application monitoring. This can result in a stealthy compromise of credentials and subsequent attacks on the affected system or network.

Mitigation Strategies

To mitigate this vulnerability, upgrade Starlette to version 1.1.0 or later, where the issue is fixed.

Avoid using the vulnerable versions (1.0.1 and earlier) on Windows systems, especially if your deployment uses the default follow_symlink=False setting.

If upgrading is not immediately possible, consider restricting outbound SMB connections from the affected service to prevent NTLMv2 credential exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48818. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart