Skip to main content

Starlette CVE-2026-48818

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-15 https://github.com/Kludex/starlette GHSA-wqp7-x3pw-xc5r
7.5
CVSS 3.1 · Vendor: https://github.com/Kludex/starlette
Share

Severity by source

Vendor (https://github.com/Kludex/starlette) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated remote HTTP request triggers NTLMv2 hash leak on default Windows config (AV:N/AC:L/PR:N/UI:N); credential disclosure is confidentiality-only with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/Kludex/starlette).

CVSS VectorVendor: https://github.com/Kludex/starlette

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 15, 2026 - 20:50 vuln.today
Analysis Generated
Jun 15, 2026 - 20:50 vuln.today
CVE Published
Jun 15, 2026 - 20:16 github-advisory
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 10 pypi packages depend on starlette (9 direct, 1 indirect)

Ecosystem-wide dependent count for version 1.1.0.

DescriptionCVE.org

Summary

When serving static files on Windows, StaticFiles resolves the requested path with os.path.realpath. If a UNC path (such as \\attacker.com\share) reaches the resolver, realpath causes the process to open a connection to the remote host over SMB (port 445). This is a server-side request forgery (SSRF) that leaks the service account's NTLMv2 credentials to the attacker-controlled host, which can then be cracked offline or relayed to other hosts.

Details

StaticFiles.lookup_path() joins the requested path onto the served directory and calls os.path.realpath on the result before checking containment with os.path.commonpath. On Windows, a UNC path is absolute, so os.path.join discards the served directory and realpath resolves the bare UNC path, triggering the outbound SMB connection and NTLM authentication before the containment check rejects the path. The HTTP response is a benign 404, but the credential disclosure has already happened. POSIX systems are not affected.

This only affects the default configuration (follow_symlink=False), which uses os.path.realpath. The follow_symlink=True branch uses os.path.abspath, which performs no I/O.

Impact

Applications running on Windows that serve files with StaticFiles (directly, or via a framework built on Starlette such as FastAPI) in the default configuration are affected. StaticFiles is typically unauthenticated, so any client can trigger the SMB connection and leak the service account's NTLMv2 hash. A secondary impact is discovering internal hosts reachable over SMB by timing responses for valid versus invalid addresses.

Mitigation

Applications not running on Windows are not affected. On Windows, serving static files through a dedicated web server (such as nginx or IIS) instead of StaticFiles avoids the issue. Blocking outbound SMB (port 445) from the application host prevents the credential disclosure even if a UNC path is resolved.

AnalysisAI

Server-side request forgery in Starlette's StaticFiles on Windows allows unauthenticated remote attackers to coerce the application process into making outbound SMB connections to attacker-controlled hosts, leaking the service account's NTLMv2 hash for offline cracking or NTLM relay. The flaw affects all Starlette versions before 1.1.0 (including downstream frameworks like FastAPI) when running on Windows in the default follow_symlink=False configuration, and no public exploit identified at time of analysis though the GHSA advisory provides full technical detail sufficient to reproduce.

Technical ContextAI

Starlette is a lightweight ASGI framework written in Python (pkg:pip/starlette) that underpins FastAPI and other async web applications. The vulnerability lives in StaticFiles.lookup_path(), which uses os.path.join() to combine the served directory with the user-supplied path and then calls os.path.realpath() before applying os.path.commonpath() as a containment check. On Windows, UNC paths like \\attacker.com\share are absolute, so os.path.join discards the served directory and os.path.realpath performs filesystem I/O on the bare UNC path - Windows opens an SMB connection (TCP/445) and performs NTLM authentication against the remote host before the containment check ever runs. This is a textbook CWE-918 SSRF, but the side channel is the Windows SMB client rather than an HTTP request, and the leaked artifact is the process's NTLMv2 challenge-response. The follow_symlink=True branch is unaffected because it calls os.path.abspath(), which performs no I/O.

RemediationAI

Vendor-released patch: Starlette 1.1.0 - upgrade with pip install --upgrade 'starlette>=1.1.0' and bump any transitive pin in FastAPI projects accordingly, per the GHSA advisory at https://github.com/Kludex/starlette/security/advisories/GHSA-wqp7-x3pw-xc5r. If immediate upgrade is not possible, the most effective compensating controls on Windows hosts are to front Starlette with a dedicated static-file server (nginx or IIS) so that StaticFiles never sees the request - this fully eliminates the code path at the cost of an extra deployment component - or to block outbound TCP/445 from the application host at the host firewall or network egress, which prevents the NTLM leak even if a UNC path is resolved but may break legitimate SMB use such as accessing file shares or DFS. Switching StaticFiles to follow_symlink=True also avoids the vulnerable os.path.realpath call, but this changes symlink-traversal semantics and may introduce its own path-traversal risk, so it is not recommended as a primary fix. Migrating the deployment to Linux removes the issue entirely.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Server 16.0 Not-Affected
SUSE Linux Enterprise Server 16.1 Not-Affected
SUSE Linux Enterprise Server for SAP applications 16.0 Not-Affected
SUSE Linux Enterprise Server for SAP applications 16.1 Not-Affected
openSUSE Leap 16.0 Not-Affected

Share

CVE-2026-48818 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy