Intel

AIKIDO-2026-10923

starlette is vulnerable to Improper Input Validation

Improper Input ValidationCVE-2026-48710 Published May 26, 2026

95

Critical Risk

This Affects:

PYTHONstarlette
0.8.3 - 1.0.0
Fixed in 1.0.1
Are you affected? Scan for Free

TL;DR

Affected versions are vulnerable to improper Host header validation when reconstructing request.url. A crafted Host header containing path or query delimiters can cause request.url.path to differ from the actual requested path, potentially allowing attackers to bypass path-based security checks or authorization middleware.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

starlette is vulnerable to Improper Input Validation in versions 0.8.3 - 1.0.0.

How to fix this

Upgrade the starlette library to the patch version.

Links

Other

badhost.org
https://badhost.org
github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml
https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml
ostif.org/disclosing-the-badhost-vulnerability-in-starlette
https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette
secwest.net/starlette
https://www.secwest.net/starlette
x41-dsec.de/lab/advisories/x41-2026-002-starlette
https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette
access.redhat.com/errata/RHSA-2026:22992
https://access.redhat.com/errata/RHSA-2026:22992
access.redhat.com/errata/RHSA-2026:22993
https://access.redhat.com/errata/RHSA-2026:22993
access.redhat.com/errata/RHSA-2026:23346
https://access.redhat.com/errata/RHSA-2026:23346
access.redhat.com/errata/RHSA-2026:24866
https://access.redhat.com/errata/RHSA-2026:24866
access.redhat.com/errata/RHSA-2026:26226
https://access.redhat.com/errata/RHSA-2026:26226
access.redhat.com/errata/RHSA-2026:30088
https://access.redhat.com/errata/RHSA-2026:30088
access.redhat.com/errata/RHSA-2026:30089
https://access.redhat.com/errata/RHSA-2026:30089
access.redhat.com/errata/RHSA-2026:34456
https://access.redhat.com/errata/RHSA-2026:34456
access.redhat.com/errata/RHSA-2026:34526
https://access.redhat.com/errata/RHSA-2026:34526
access.redhat.com/errata/RHSA-2026:34532
https://access.redhat.com/errata/RHSA-2026:34532
access.redhat.com/errata/RHSA-2026:37275
https://access.redhat.com/errata/RHSA-2026:37275
access.redhat.com/security/cve/CVE-2026-48710
https://access.redhat.com/security/cve/CVE-2026-48710
bugzilla.redhat.com/show_bug.cgi?id=2481742
https://bugzilla.redhat.com/show_bug.cgi?id=2481742
security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48710.json
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48710.json