The architectural flaw of the popular Python framework Starlette turns any access check into the illusion.
The popular Starlette Python framework on which FastAPI is built has been affected by the vulnerability to circumvent application protection by replacing the Host header. The problem affects the Starlette version from 0.8.3 to 1.0.0 and has already received a rating.
X41 D-Sec experts found that Starlette incorrectly restores the request address. The framework collects the URL from the path of the query and the contents of the Host header, but does not check the correctness of the Host value. An intruder can add additional characters to the title and actually replace the query path in the application handler.
The problem arises from the fact that Starlette routing uses the real HTTP path, and some of the security mechanisms are guided by request.url.path, which is built from an already modified URL. As a result, the application may consider that the user refers to the permitted section, although in fact the request goes to a closed resource.
In the published example, experts have shown how the protection of the admin panel is used using a specially formed header Host. The usual request to “/admin” returned the error 403, but adding the symbol “?” in Host allowed to access the closed section and return the secret data.
According to the X41 D-Sec, experts have automatically checked open projects and identified many intermediate handlers that use request.url to check access to individual pathways. Such an error allows the attacker not only to bypass the authentication, but also to carry out SSRF attacks, and in some cases - even remotely execute the code.
The vulnerability affects all popular ASGI servers, including Unicorn, Hypercorn, Daphne and Granian, if applications rely on request.url.path.
The developers of Starlette released a fix in version 1.0.1. Before installing an update, experts recommend using request.scope["path"] instead of request.url.path, as well as check Host headers at the reversing proxy server level - such as nginx or Apache HTTP Server.
The problem was discovered on January 27, 2026 during a third-party audit of the source code. The correction was issued publicly on May 21. The vulnerability was received by the CVE-2026-48710 identifier, and has already been registered with GitHub under the number GHSA-86qp-5c8j-p5mr. CVSS:3.1/AV:N/AC:L/C:L/IN::N/UI:::L/A:N–N– 6.5 Medium
The popular Starlette Python framework on which FastAPI is built has been affected by the vulnerability to circumvent application protection by replacing the Host header. The problem affects the Starlette version from 0.8.3 to 1.0.0 and has already received a rating.
X41 D-Sec experts found that Starlette incorrectly restores the request address. The framework collects the URL from the path of the query and the contents of the Host header, but does not check the correctness of the Host value. An intruder can add additional characters to the title and actually replace the query path in the application handler.
The problem arises from the fact that Starlette routing uses the real HTTP path, and some of the security mechanisms are guided by request.url.path, which is built from an already modified URL. As a result, the application may consider that the user refers to the permitted section, although in fact the request goes to a closed resource.
In the published example, experts have shown how the protection of the admin panel is used using a specially formed header Host. The usual request to “/admin” returned the error 403, but adding the symbol “?” in Host allowed to access the closed section and return the secret data.
According to the X41 D-Sec, experts have automatically checked open projects and identified many intermediate handlers that use request.url to check access to individual pathways. Such an error allows the attacker not only to bypass the authentication, but also to carry out SSRF attacks, and in some cases - even remotely execute the code.
The vulnerability affects all popular ASGI servers, including Unicorn, Hypercorn, Daphne and Granian, if applications rely on request.url.path.
The developers of Starlette released a fix in version 1.0.1. Before installing an update, experts recommend using request.scope["path"] instead of request.url.path, as well as check Host headers at the reversing proxy server level - such as nginx or Apache HTTP Server.
The problem was discovered on January 27, 2026 during a third-party audit of the source code. The correction was issued publicly on May 21. The vulnerability was received by the CVE-2026-48710 identifier, and has already been registered with GitHub under the number GHSA-86qp-5c8j-p5mr. CVSS:3.1/AV:N/AC:L/C:L/IN::N/UI:::L/A:N–N– 6.5 Medium
