Skip to main content

Starlette EUVDEUVD-2026-32016

| CVE-2026-48710 MEDIUM
HTTP Request/Response Smuggling (CWE-444)
2026-05-26 security-advisories@github.com GHSA-86qp-5c8j-p5mr PYSEC-2026-161
Medium
Disputed · 6.5 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 CRITICAL
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 26, 2026 - 22:31 vuln.today
Analysis Generated
May 26, 2026 - 22:31 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 46 pypi packages depend on starlette (21 direct, 25 indirect)

Ecosystem-wide dependent count for version 1.0.1.

DescriptionNVD

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header could make request.url.path differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on request.url (rather than the raw scope path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the Host header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing request.url and falls back to scope["server"] for malformed values.

AnalysisAI

Host header injection in Starlette prior to version 1.0.1 allows unauthenticated remote attackers to cause request.url.path to differ from the actual ASGI scope path used for routing, enabling bypass of middleware and endpoint security controls that rely on request.url rather than the raw scope. Any application enforcing path-based ACLs, authentication gates, or WAF-style filters through request.url is affected, as a crafted Host header can make the URL appear to address a permitted path while the real route differs. This issue carries CVSS 6.5 (AV:N/AC:L/PR:N/UI:N); no public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed
openSUSE Leap 16.0 Fixed

Share

EUVD-2026-32016 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy