CVE-2026-48818
Received Received - Intake
StaticFiles SSRF Vulnerability in Starlette on Windows

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-48818
EUVD
EUVD-2026-37773
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
encode starlette to 1.1.0 (exc)
encode starlette 1.1.0
encode fastapi *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Starlette versions 1.0.1 and earlier on Windows systems when using StaticFiles. It is a Server-Side Request Forgery (SSRF) issue where an attacker can use a UNC path like \\attacker.com\share to trigger an outbound SMB connection. This happens because os.path.realpath initiates the connection before rejecting the path, which can expose the service account's NTLMv2 credentials. These credentials can then be captured for offline cracking or relay attacks. The vulnerability occurs even though the HTTP response is only a 404 error.

The issue affects default deployments with follow_symlink set to False, including frameworks built on Starlette such as FastAPI. POSIX systems and configurations with follow_symlink set to True are not affected. The vulnerability was fixed in Starlette version 1.1.0.

Impact Analysis

This vulnerability can lead to the exposure of the service account's NTLMv2 credentials through outbound SMB connections initiated by the vulnerable application. An attacker can capture these credentials and use them for offline cracking or relay attacks, potentially gaining unauthorized access to network resources or escalating privileges.

Since the vulnerability occurs even when the HTTP response is a 404 error, it may be difficult to detect through normal application monitoring. This can result in a stealthy compromise of credentials and subsequent attacks on the affected system or network.

Mitigation Strategies

To mitigate this vulnerability, upgrade Starlette to version 1.1.0 or later, where the issue is fixed.

Avoid using the vulnerable versions (1.0.1 and earlier) on Windows systems, especially if your deployment uses the default follow_symlink=False setting.

If upgrading is not immediately possible, consider restricting outbound SMB connections from the affected service to prevent NTLMv2 credential exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48818. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart