CVE-2026-48710: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in Kludex starlette
Starlette versions prior to 1. 0. 1 have a vulnerability where the HTTP Host header is not validated before reconstructing request. url. This can cause a mismatch between the actual requested path and the path used by middleware or endpoints for security checks, potentially allowing bypass of security restrictions. The issue is fixed in version 1. 0. 1 by validating the Host header according to RFC standards and falling back to a safe value if malformed.
AI Analysis
Technical Summary
CVE-2026-48710 affects the Kludex Starlette ASGI framework versions before 1.0.1. The vulnerability arises because the HTTP Host header was not validated before being used to reconstruct request.url. Since routing relies on the raw HTTP path but security checks may rely on request.url, a malformed Host header can cause inconsistent interpretation of the request path, enabling bypass of security restrictions. Version 1.0.1 mitigates this by validating the Host header against RFC 9112 §3.2 and RFC 3986 §3.2.2 grammar and falling back to scope["server"] for malformed headers.
Potential Impact
An attacker can craft HTTP requests with malformed Host headers that cause the reconstructed request.url.path to differ from the actual requested path. This discrepancy can allow bypass of middleware or endpoint security restrictions that rely on request.url, potentially leading to unauthorized access or privilege escalation. The CVSS score is 6.5 (medium severity), indicating limited confidentiality and integrity impact without availability impact. No known exploits are reported in the wild.
Mitigation Recommendations
Users should upgrade to Starlette version 1.0.1 or later, where the Host header is properly validated and malformed values fallback to a safe default. No official patch link or advisory is provided, but upgrading to the fixed version is the recommended remediation. Since this is not a cloud service, users must apply the upgrade themselves. Patch status is not explicitly confirmed beyond the version fix; check vendor sources for updates.
CVE-2026-48710: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in Kludex starlette
Description
Starlette versions prior to 1. 0. 1 have a vulnerability where the HTTP Host header is not validated before reconstructing request. url. This can cause a mismatch between the actual requested path and the path used by middleware or endpoints for security checks, potentially allowing bypass of security restrictions. The issue is fixed in version 1. 0. 1 by validating the Host header according to RFC standards and falling back to a safe value if malformed.
CVSS v3.1
Score 6.5medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-48710 affects the Kludex Starlette ASGI framework versions before 1.0.1. The vulnerability arises because the HTTP Host header was not validated before being used to reconstruct request.url. Since routing relies on the raw HTTP path but security checks may rely on request.url, a malformed Host header can cause inconsistent interpretation of the request path, enabling bypass of security restrictions. Version 1.0.1 mitigates this by validating the Host header against RFC 9112 §3.2 and RFC 3986 §3.2.2 grammar and falling back to scope["server"] for malformed headers.
Potential Impact
An attacker can craft HTTP requests with malformed Host headers that cause the reconstructed request.url.path to differ from the actual requested path. This discrepancy can allow bypass of middleware or endpoint security restrictions that rely on request.url, potentially leading to unauthorized access or privilege escalation. The CVSS score is 6.5 (medium severity), indicating limited confidentiality and integrity impact without availability impact. No known exploits are reported in the wild.
Mitigation Recommendations
Users should upgrade to Starlette version 1.0.1 or later, where the Host header is properly validated and malformed values fallback to a safe default. No official patch link or advisory is provided, but upgrading to the fixed version is the recommended remediation. Since this is not a cloud service, users must apply the upgrade themselves. Patch status is not explicitly confirmed beyond the version fix; check vendor sources for updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-22T18:47:27.755Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a161c3ae29bf47b506f4910
Added to database: 5/26/2026, 10:18:34 PM
Last enriched: 5/26/2026, 10:35:09 PM
Last updated: 5/26/2026, 11:29:54 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.