CVE-2026-48710: Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
In affected versions, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header could make request.url.path differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on request.url (rather than the raw scope path) could therefore be bypassed.
References
- badhost.org/
- github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6
- github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr
- github.com/advisories/GHSA-86qp-5c8j-p5mr
- github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml
- nvd.nist.gov/vuln/detail/CVE-2026-48710
- ostif.org/disclosing-the-badhost-vulnerability-in-starlette
- www.secwest.net/starlette
- www.x41-dsec.de/lab/advisories/x41-2026-002-starlette
Code Behaviors & Features
Detect and mitigate CVE-2026-48710 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →