CVE-2026-48710

MEDIUM NUCLEI LAB

Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks

Title source: cna

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-48710. PoCs published by eris-ths, Bhanunamikaze, xtremebeing. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a set of scripts designed to scan for supply chain vulnerabilities, including compromised packages, IOCs (Indicators of Compromise), and lockfile integrity checks. It does not include exploit code but provides detection mechanisms for known malicious packages and artifacts.

Description

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.

Exploits (3)

nomisec SCANNER 3 stars

by eris-ths · poc

https://github.com/eris-ths/supply-chain-guard

View Code ZIP pw:eip

This repository contains a set of scripts designed to scan for supply chain vulnerabilities, including compromised packages, IOCs (Indicators of Compromise), and lockfile integrity checks. It does not include exploit code but provides detection mechanisms for known malicious packages and artifacts.

Classification

Scanner 95%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: npm/yarn/Python projects

No auth needed

Prerequisites: presence of package.json, package-lock.json, or Python project files

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 27, 2026 Full analysis →

github WORKING POC

by Bhanunamikaze · pythonpoc

https://github.com/Bhanunamikaze/BadHost-CVE-2026-48710-Exploit

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2026-48710, demonstrating an authentication bypass vulnerability in Starlette/FastAPI applications. The exploit leverages malformed Host headers to manipulate request.url.path, bypassing middleware authentication checks.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Starlette/FastAPI (specific version not specified)

No auth needed

Prerequisites: Access to a vulnerable Starlette/FastAPI application · Ability to send crafted HTTP requests with malformed Host headers

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 28, 2026 Full analysis →

nomisec WORKING POC

by xtremebeing · poc

https://github.com/xtremebeing/starlette-host-header-lab

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2026-48710, demonstrating a Host header URL confusion vulnerability in Starlette. The exploit manipulates the Host header to bypass authentication checks by causing a discrepancy between the reconstructed URL path and the actual routed path.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Starlette >= 0.8.3, < 1.0.1

No auth needed

Prerequisites: Docker · Docker Compose

MITRE ATT&CK