Starlette CVE-2026-48818
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated remote HTTP request triggers NTLMv2 hash leak on default Windows config (AV:N/AC:L/PR:N/UI:N); credential disclosure is confidentiality-only with no integrity or availability impact.
Primary rating from Vendor (https://github.com/Kludex/starlette).
CVSS VectorVendor: https://github.com/Kludex/starlette
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 10 pypi packages depend on starlette (9 direct, 1 indirect)
Ecosystem-wide dependent count for version 1.1.0.
DescriptionCVE.org
Summary
When serving static files on Windows, StaticFiles resolves the requested path with os.path.realpath. If a UNC path (such as \\attacker.com\share) reaches the resolver, realpath causes the process to open a connection to the remote host over SMB (port 445). This is a server-side request forgery (SSRF) that leaks the service account's NTLMv2 credentials to the attacker-controlled host, which can then be cracked offline or relayed to other hosts.
Details
StaticFiles.lookup_path() joins the requested path onto the served directory and calls os.path.realpath on the result before checking containment with os.path.commonpath. On Windows, a UNC path is absolute, so os.path.join discards the served directory and realpath resolves the bare UNC path, triggering the outbound SMB connection and NTLM authentication before the containment check rejects the path. The HTTP response is a benign 404, but the credential disclosure has already happened. POSIX systems are not affected.
This only affects the default configuration (follow_symlink=False), which uses os.path.realpath. The follow_symlink=True branch uses os.path.abspath, which performs no I/O.
Impact
Applications running on Windows that serve files with StaticFiles (directly, or via a framework built on Starlette such as FastAPI) in the default configuration are affected. StaticFiles is typically unauthenticated, so any client can trigger the SMB connection and leak the service account's NTLMv2 hash. A secondary impact is discovering internal hosts reachable over SMB by timing responses for valid versus invalid addresses.
Mitigation
Applications not running on Windows are not affected. On Windows, serving static files through a dedicated web server (such as nginx or IIS) instead of StaticFiles avoids the issue. Blocking outbound SMB (port 445) from the application host prevents the credential disclosure even if a UNC path is resolved.
AnalysisAI
Server-side request forgery in Starlette's StaticFiles on Windows allows unauthenticated remote attackers to coerce the application process into making outbound SMB connections to attacker-controlled hosts, leaking the service account's NTLMv2 hash for offline cracking or NTLM relay. The flaw affects all Starlette versions before 1.1.0 (including downstream frameworks like FastAPI) when running on Windows in the default follow_symlink=False configuration, and no public exploit identified at time of analysis though the GHSA advisory provides full technical detail sufficient to reproduce.
Technical ContextAI
Starlette is a lightweight ASGI framework written in Python (pkg:pip/starlette) that underpins FastAPI and other async web applications. The vulnerability lives in StaticFiles.lookup_path(), which uses os.path.join() to combine the served directory with the user-supplied path and then calls os.path.realpath() before applying os.path.commonpath() as a containment check. On Windows, UNC paths like \\attacker.com\share are absolute, so os.path.join discards the served directory and os.path.realpath performs filesystem I/O on the bare UNC path - Windows opens an SMB connection (TCP/445) and performs NTLM authentication against the remote host before the containment check ever runs. This is a textbook CWE-918 SSRF, but the side channel is the Windows SMB client rather than an HTTP request, and the leaked artifact is the process's NTLMv2 challenge-response. The follow_symlink=True branch is unaffected because it calls os.path.abspath(), which performs no I/O.
RemediationAI
Vendor-released patch: Starlette 1.1.0 - upgrade with pip install --upgrade 'starlette>=1.1.0' and bump any transitive pin in FastAPI projects accordingly, per the GHSA advisory at https://github.com/Kludex/starlette/security/advisories/GHSA-wqp7-x3pw-xc5r. If immediate upgrade is not possible, the most effective compensating controls on Windows hosts are to front Starlette with a dedicated static-file server (nginx or IIS) so that StaticFiles never sees the request - this fully eliminates the code path at the cost of an extra deployment component - or to block outbound TCP/445 from the application host at the host firewall or network egress, which prevents the NTLM leak even if a UNC path is resolved but may break legitimate SMB use such as accessing file shares or DFS. Switching StaticFiles to follow_symlink=True also avoids the vulnerable os.path.realpath call, but this changes symlink-traversal semantics and may introduce its own path-traversal risk, so it is not recommended as a primary fix. Migrating the deployment to Linux removes the issue entirely.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Not-Affected |
| SUSE Linux Enterprise Server 16.1 | Not-Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Not-Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Not-Affected |
| openSUSE Leap 16.0 | Not-Affected |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-wqp7-x3pw-xc5r