CVE-2026-48710: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in Kludex starlette
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
AI Analysis
Technical Summary
CVE-2026-48710 describes an inconsistent interpretation of HTTP requests in the Kludex Starlette ASGI framework prior to version 1.0.1. The vulnerability arises because the HTTP Host header was not validated before being used to reconstruct request.url. Since routing relies on the raw HTTP path but security checks may rely on request.url.path, a malformed Host header can cause these to differ, enabling bypass of security restrictions that depend on request.url. The issue is addressed in version 1.0.1 by validating the Host header against RFC 9112 §3.2 and RFC 3986 §3.2.2 grammar and falling back to scope["server"] for malformed values.
Potential Impact
This vulnerability allows attackers to craft HTTP requests with malformed Host headers that cause the reconstructed request.url.path to differ from the actual requested path. Middleware or endpoints that enforce security policies based on request.url rather than the raw HTTP path may be bypassed, potentially leading to unauthorized access or privilege escalation. The CVSS score is 6.5 (medium severity), indicating a moderate impact on confidentiality and integrity without affecting availability.
Mitigation Recommendations
Users should upgrade to Starlette version 1.0.1 or later, where the Host header is properly validated and malformed values fallback to a safe server scope. No other mitigation is indicated by the vendor advisory. Patch status is not explicitly stated in the vendor advisory, but upgrading to >=1.0.1 is the recommended fix.
CVE-2026-48710: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in Kludex starlette
Description
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
CVSS v3.1
Score 6.5medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-48710 describes an inconsistent interpretation of HTTP requests in the Kludex Starlette ASGI framework prior to version 1.0.1. The vulnerability arises because the HTTP Host header was not validated before being used to reconstruct request.url. Since routing relies on the raw HTTP path but security checks may rely on request.url.path, a malformed Host header can cause these to differ, enabling bypass of security restrictions that depend on request.url. The issue is addressed in version 1.0.1 by validating the Host header against RFC 9112 §3.2 and RFC 3986 §3.2.2 grammar and falling back to scope["server"] for malformed values.
Potential Impact
This vulnerability allows attackers to craft HTTP requests with malformed Host headers that cause the reconstructed request.url.path to differ from the actual requested path. Middleware or endpoints that enforce security policies based on request.url rather than the raw HTTP path may be bypassed, potentially leading to unauthorized access or privilege escalation. The CVSS score is 6.5 (medium severity), indicating a moderate impact on confidentiality and integrity without affecting availability.
Mitigation Recommendations
Users should upgrade to Starlette version 1.0.1 or later, where the Host header is properly validated and malformed values fallback to a safe server scope. No other mitigation is indicated by the vendor advisory. Patch status is not explicitly stated in the vendor advisory, but upgrading to >=1.0.1 is the recommended fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-22T18:47:27.755Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-48710","vendor":"Red Hat"}]
Threat ID: 6a161c3ae29bf47b506f4910
Added to database: 05/26/2026, 22:18:34 UTC
Last enriched: 07/09/2026, 09:26:55 UTC
Last updated: 07/11/2026, 23:03:35 UTC
Views: 206
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.