CVE-2026-48710 — Starlette Security Patch
On May 26, 2026, a medium severity (CVSS 6.5) vulnerability was disclosed concerning Starlette, the lightweight ASGI framework used notably by FastAPI.
🔍 What is it about?
Prior to Starlette version 1.0.1, the HTTP Host request header was not validated before being used to reconstruct request.url. The routing algorithm relies on the raw HTTP path, while request.url is rebuilt from the Host header. A malformed header could therefore cause request.url.path to differ from the path that was actually requested.
Concretely, this means that:
- Middlewares and endpoints applying security restrictions based on
request.url(rather than the rawscopepath) could be bypassed. - An attacker could manipulate the
Hostheader to trick security controls relying on the reconstructed URL.
🛡️ What the patch fixes
Starlette version 1.0.1 introduces two major changes:
- Validation of the
Hostheader against the grammar defined by RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructingrequest.url. - Fallback to
scope["server"]when theHostheader value is malformed, ensuring thatrequest.urlalways reflects the server that was actually contacted.
Our responsiveness: 3 days from disclosure to production
The security of our infrastructure and our clients is a top priority. Here is the timeline of our response:
| Date | Action |
|---|---|
| 26/05 | CVE-2026-48710 published |
| 27/05 | Patch available — Starlette update ≥ 1.0.1 |
| 28/05 | Deployed to preproduction and non-regression testing |
| 29/05 | Deployed to production ✅ |
As soon as the CVE was published on May 26, our teams identified the impact on our services. On May 27, a patch was already available from Starlette. We integrated it immediately and deployed it to preproduction on May 28, where a non-regression testing campaign was conducted to ensure no side effects. After validation, on May 29, the fix was deployed to production.
👉 Only 3 days between the vulnerability disclosure and its complete resolution in production.
An ongoing commitment
This incident illustrates our commitment to security:
- Proactive monitoring: we track CVE publications affecting our dependencies.
- Responsiveness: we apply fixes as quickly as possible, with a rigorous validation process before production deployment.
- Transparency: we inform our users of incidents and the actions taken.
Security is not a state — it is a continuous process. We remain mobilized to ensure the protection of your data and services.