VDB

CVE-2026-48818

CVE-2026-48818 PUBLISHED CVSS 7.5 HIGH

Reported by GitHub_M · Published June 17, 2026

Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

VendorProductVersions
Kludexstarlette< 1.1.0
Red HatMigration Toolkit for Applications 8
Red HatOpenShift Lightspeed
Red HatRed Hat Ansible Automation Platform 2
Red HatRed Hat AI Inference Server
Kludexstarlette< 1.1.0, < 1.1.0
Red HatRed Hat AI Inference Server 3.3
Red HatRed Hat Hardened Images
Red HatRed Hat OpenShift AI (RHOAI)
Red HatRed Hat Satellite 6
Red HatExploit Intelligence
Red HatRed Hat Enterprise Linux AI (RHEL AI) 3

Timeline

  • Jun 15, 2026 CVE Published
  • Jun 18, 2026 Coalition ESS Score
  • Jun 18, 2026 Security Advisory
  • Jun 30, 2026 CVE Updated
  • Jul 1, 2026 Distribution Patch
  • Jul 1, 2026 Distribution Patch
  • Jul 1, 2026 Distribution Patch
  • Jul 1, 2026 Security Advisory
  • Jul 1, 2026 Security Advisory
  • Jul 1, 2026 Security Advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›