Input validation error in starlette - CVE-2026-48710
Published: May 22, 2026 / Updated: May 27, 2026
starlette
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass path-based security checks.
The vulnerability exists due to improper input validation in request.url reconstruction when processing a malformed Host header. A remote attacker can send a specially crafted Host header to bypass path-based security checks.
The issue occurs because routing uses the raw HTTP path while security-sensitive code may rely on request.url.path reconstructed from the Host header.