CVE-2026-48710: CVE-2026-48710: Starlette BadHost HTTP Host-Header Path-Poisoning and Authentication Bypass

CVE-2026-48710: Starlette BadHost HTTP Host-Header Path-Poisoning and Authentication Bypass

Vulnerability ID: CVE-2026-48710

CVSS Score: 7.0

CVE-2026-48710 is a critical security-desynchronization vulnerability in the Starlette ASGI framework (versions >= 0.8.3, < 1.0.1) that allows remote attackers to bypass path-based security middleware and access-control decorators. By injecting URI authority-to-path delimiters into the Host header, attackers can manipulate the application-level parsed URL path while the underlying ASGI server dispatches the request to target endpoints.

TL;DR