Skip to main content

CVE-2026-48710 — Starlette Security Patch

· 2 min read
Jordane Tartarin
Jordane Tartarin
Lead Tech - AI Solutions

On May 26, 2026, a medium severity (CVSS 6.5) vulnerability was disclosed concerning Starlette, the lightweight ASGI framework used notably by FastAPI.

🔍 What is it about?

Prior to Starlette version 1.0.1, the HTTP Host request header was not validated before being used to reconstruct request.url. The routing algorithm relies on the raw HTTP path, while request.url is rebuilt from the Host header. A malformed header could therefore cause request.url.path to differ from the path that was actually requested.

Concretely, this means that:

  • Middlewares and endpoints applying security restrictions based on request.url (rather than the raw scope path) could be bypassed.
  • An attacker could manipulate the Host header to trick security controls relying on the reconstructed URL.

🛡️ What the patch fixes

Starlette version 1.0.1 introduces two major changes:

  1. Validation of the Host header against the grammar defined by RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing request.url.
  2. Fallback to scope["server"] when the Host header value is malformed, ensuring that request.url always reflects the server that was actually contacted.

Our responsiveness: 3 days from disclosure to production

The security of our infrastructure and our clients is a top priority. Here is the timeline of our response:

DateAction
26/05CVE-2026-48710 published
27/05Patch available — Starlette update ≥ 1.0.1
28/05Deployed to preproduction and non-regression testing
29/05Deployed to production ✅

As soon as the CVE was published on May 26, our teams identified the impact on our services. On May 27, a patch was already available from Starlette. We integrated it immediately and deployed it to preproduction on May 28, where a non-regression testing campaign was conducted to ensure no side effects. After validation, on May 29, the fix was deployed to production.

👉 Only 3 days between the vulnerability disclosure and its complete resolution in production.

An ongoing commitment

This incident illustrates our commitment to security:

  • Proactive monitoring: we track CVE publications affecting our dependencies.
  • Responsiveness: we apply fixes as quickly as possible, with a rigorous validation process before production deployment.
  • Transparency: we inform our users of incidents and the actions taken.

Security is not a state — it is a continuous process. We remain mobilized to ensure the protection of your data and services.

Update made by
Jordane TartarinJordane Tartarin