CVE-2026-48061: Litestar: AllowedHostsMiddleware bypasses host validation via client-controlled X-Forwarded-Host header

June 10, 2026

AllowedHostsMiddleware trusts the X-Forwarded-Host header as a fallback when the Host header is absent. Since X-Forwarded-Host is a client-controllable header, an attacker can bypass the allowed hosts validation by omitting the Host header and supplying an X-Forwarded-Host header set to a whitelisted domain. This enables host header injection attacks such as password reset poisoning, cache poisoning, and server-side request routing manipulation.

References

github.com/advisories/GHSA-3qmc-cj7q-62hv
github.com/litestar-org/litestar/commit/6930a20ceb543912cd651b42deae5b9f3637a262
github.com/litestar-org/litestar/security/advisories/GHSA-3qmc-cj7q-62hv
nvd.nist.gov/vuln/detail/CVE-2026-48061

Code Behaviors & Features

Detect and mitigate CVE-2026-48061 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →