VDB
CVE-2026-48818
CVE-2026-48818
PUBLISHED
CVSS 7.5 HIGH
Reported by GitHub_M · Published June 17, 2026
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kludex | starlette | < 1.1.0 |
| Red Hat | Migration Toolkit for Applications 8 | |
| Red Hat | OpenShift Lightspeed | |
| Red Hat | Red Hat Ansible Automation Platform 2 | |
| Red Hat | Red Hat AI Inference Server | |
| Kludex | starlette | < 1.1.0, < 1.1.0 |
| Red Hat | Red Hat AI Inference Server 3.3 | |
| Red Hat | Red Hat Hardened Images | |
| Red Hat | Red Hat OpenShift AI (RHOAI) | |
| Red Hat | Red Hat Satellite 6 | |
| Red Hat | Exploit Intelligence | |
| Red Hat | Red Hat Enterprise Linux AI (RHEL AI) 3 |
Timeline
- Jun 15, 2026 CVE Published
- Jun 18, 2026 Coalition ESS Score
- Jun 18, 2026 Security Advisory
- Jun 30, 2026 CVE Updated
- Jul 1, 2026 Distribution Patch
- Jul 1, 2026 Distribution Patch
- Jul 1, 2026 Distribution Patch
- Jul 1, 2026 Security Advisory
- Jul 1, 2026 Security Advisory
- Jul 1, 2026 Security Advisory
References
- https://github.com/Kludex/starlette/security/advisories/GHSA-wqp7-x3pw-xc5r x_refsource_CONFIRM
- https://github.com/Kludex/starlette/pull/3287 x_refsource_MISC
- https://github.com/Kludex/starlette/commit/fd53168a7767b6b55ba5af787fd88f49e33cabc5 x_refsource_MISC
- https://github.com/Kludex/starlette/releases/tag/1.1.0 x_refsource_MISC
- https://access.redhat.com/security/cve/CVE-2026-48818 vdb
- RHBZ#2490020 issue
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48818.json url
- https://access.redhat.com/errata/RHSA-2026:30089 vendor-advisory
- https://access.redhat.com/errata/RHSA-2026:30088 vendor-advisory
- https://access.redhat.com/errata/RHSA-2026:30087 vendor-advisory