CVE-2026-48818 | Starlette is a lightweight ASGI framework/toolkit. In versio… | CVSS 7.5 HIGH

Description

Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.

Metadata

CVE ID: CVE-2026-48818
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-22 20:57 UTC
Published: 2026-06-17 17:50 UTC
Last updated: 2026-06-17 19:31 UTC
Primary CWE: CWE-918
CWE-918: Server-Side Request Forgery (SSRF)
Vendor / Product: Kludex / starlette
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Kludex	starlette	—	< 1.1.0

Weakness (CWE)

CWE	Source	Description
CWE-918	cna	CWE-918: Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

https://github.com/Kludex/starlette/security/advisories/GHSA-wqp7-x3pw-xc5r https://github.com/Kludex/starlette/security/advisories/GHSA-wqp7-x3pw-xc5r
https://github.com/Kludex/starlette/pull/3287 https://github.com/Kludex/starlette/pull/3287
https://github.com/Kludex/starlette/commit/fd53168a7767b6b55ba5af787fd88f49e33cabc5 https://github.com/Kludex/starlette/commit/fd53168a7767b6b55ba5af787fd88f49e33cabc5
https://github.com/Kludex/starlette/releases/tag/1.1.0 https://github.com/Kludex/starlette/releases/tag/1.1.0