CVE-2026-48818: Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows

June 15, 2026

When serving static files on Windows, StaticFiles resolves the requested path with os.path.realpath. If a UNC path (such as \\attacker.com\share) reaches the resolver, realpath causes the process to open a connection to the remote host over SMB (port 445). This is a server-side request forgery (SSRF) that leaks the service account’s NTLMv2 credentials to the attacker-controlled host, which can then be cracked offline or relayed to other hosts.

References

github.com/Kludex/starlette/security/advisories/GHSA-wqp7-x3pw-xc5r
github.com/advisories/GHSA-wqp7-x3pw-xc5r
nvd.nist.gov/vuln/detail/CVE-2026-48818

Code Behaviors & Features

Detect and mitigate CVE-2026-48818 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →