FKIE_CVE-2026-48710
Vulnerability from fkie_nvd - Published: 2026-05-26 22:16 - Updated: 2026-06-17 10:55
Severity
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
References
{
"affected": [
{
"affectedData": [
{
"product": "starlette",
"vendor": "Kludex",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.1"
}
]
}
],
"source": "security-advisories@github.com"
},
{
"affectedData": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-tpu-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-cpu-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-spyre-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-rocm-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-cuda-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-cuda-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-rocm-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "ansible-automation-platform-25/lightspeed-chatbot-rhel8",
"product": "ansible_automation_platform-2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaii/vllm-gaudi-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaii/vllm-rocm-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-tpu-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaii/vllm-cuda-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "ansible-automation-platform-26/lightspeed-chatbot-rhel9",
"product": "ansible_automation_platform-2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-spyre-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaii/vllm-spyre-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "ansible-automation-platform-26/mcp-tools-rhel9",
"product": "ansible_automation_platform-2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaii/vllm-cpu-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "mta/mta-solution-server-rhel9",
"product": "mta-8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "exploit-intelligence-tech-preview/vulnerability-analysis-rhel9",
"product": "exploit-intelligence",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "openshift-lightspeed/lightspeed-ocp-rag-rhel9",
"product": "ols-1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaii/vllm-tpu-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaiis/vllm-neuron-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhaii/vllm-neuron-rhel9",
"product": "ai-inference-server-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "openshift-lightspeed/lightspeed-service-api-rhel9",
"product": "ols-1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-caikit-nlp-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-aws-cuda-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "ask-sre",
"product": "openshift-hosted-osd4",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-azure-cuda-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-built-in-detector-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-gaudi-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-rocm-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/disk-image-cuda-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-gcp-cuda-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-cuda-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/iop-advisor-engine-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhel-cla/rlsapi-rhel10",
"product": "rhel-cla-0",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhelai3/bootc-azure-rocm-rhel9",
"product": "rhel-ai-3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-vllm-cuda-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-guardrails-detector-huggingface-runtime-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-llama-stack-core-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-feature-server-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-vllm-gaudi-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-storage-initializer-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-caikit-tgis-serving-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-guardrails-detector-huggingface-runtime-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-guardrails-detector-huggingface-runtime-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-controller-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-feature-server-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-agent-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-router-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-vllm-gaudi-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-automl-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-mlflow-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-llama-stack-core-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-built-in-detector-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-built-in-detector-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-vllm-rocm-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-feature-server-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-mlserver-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-trustyai-nemo-guardrails-server-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-training-cuda128-torch29-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-storage-initializer-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-trustyai-nemo-guardrails-server-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-storage-initializer-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-training-cuda128-torch29-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-router-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-agent-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-th06-rocm64-torch291-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-controller-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-kserve-autogluon-server-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-vllm-gaudi-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-th06-cuda130-torch210-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-llm-d-kv-cache-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-mlflow-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-mlserver-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-th06-cpu-torch210-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-llama-stack-core-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "aap-installers-rag-content",
"product": "services-ansible-lightspeed-chatbot",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/iop-vulnerability-engine-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/iop-vmaas-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/foreman-mcp-server-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/iop-host-inventory-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/iop-host-inventory-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9",
"product": "openshift-ai",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/foreman-mcp-server-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "aap-rag-content",
"product": "services-ansible-lightspeed-chatbot",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "ansible-chatbot-stack",
"product": "services-ansible-lightspeed-chatbot",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/iop-vulnerability-engine-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "satellite/iop-vmaas-rhel9",
"product": "rhn_satellite_6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "nexus",
"product": "services-ansible-nexus",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "cloudservices/insights-inventory",
"product": "services-inventory",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "insights-host-inventory",
"product": "services-inventory",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "ansible-mcp-tools",
"product": "services-ansible-lightspeed-chatbot",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "cloudservices/rbac",
"product": "services-management-platform",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "digital-roadmap-backend",
"product": "services-digital-roadmap",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "automation-analytics-backend",
"product": "services-ansible-on-clouds",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "insights-rbac",
"product": "services-management-platform",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "unknown@sha256:456a1542e13586a1c2cf1bbbb146124ca53041f5b9680becbebe10095afe881f/unknown@sha256:456a1542e13586a1c2cf1bbbb146124ca53041f5b9680becbebe10095afe881f",
"product": "services-ansible-lightspeed-chatbot",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "okp-mcp",
"product": "services-rhel-lightspeed",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "google-lightspeed-agent",
"product": "services-lightspeed-agent-google-cloud",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "cloudservices/vulnerability-engine-app",
"product": "services-vulnerability-engine",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "vmaas",
"product": "services-vulnerability-engine",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected",
"packageName": "vulnerability-engine",
"product": "services-vulnerability-engine",
"vendor": "Red Hat"
}
],
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:encode:starlette:*:*:*:*:*:python:*:*",
"matchCriteriaId": "4C7C6045-86A6-4FAC-AE15-B12438E9D1B4",
"versionEndExcluding": "1.0.1",
"versionStartIncluding": "0.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 \u00a73.2 / RFC 3986 \u00a73.2.2 when constructing `request.url` and falls back to `scope[\"server\"]` for malformed values."
}
],
"id": "CVE-2026-48710",
"lastModified": "2026-06-17T10:55:13.440",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-48710",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T14:22:19.241769Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-05-26T22:16:44.020",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://badhost.org"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://www.secwest.net/starlette"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://access.redhat.com/security/cve/CVE-2026-48710"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://badhost.org"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"tags": [
"Patch"
],
"url": "https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48710.json"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-48710"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://www.secwest.net/starlette"
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1289"
}
],
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"type": "Secondary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…