CVE-2026-54282
published 2026-06-22CVE-2026-54282: Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because…
PriorityP431medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.19%
8.5th percentile
Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| encode | starlette | < 1.3.0 | 1.3.0 |
| encode | starlette | >= 0 < 1.3.0 | 1.3.0 |
| exploit-intelligence-tech-preview | vulnerability-analysis-rhel9 | — | — |
| kludex | starlette | < 1.3.0 | 1.3.0 |
| mta | mta-solution-server-rhel9 | — | — |
| openshift-lightspeed | lightspeed-agentic-sandbox-rhel9 | — | — |
| openshift-lightspeed | lightspeed-ocp-rag-rhel9 | — | — |
| openshift-lightspeed | lightspeed-service-api-rhel9 | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Kludex starlette up to 1.2.x HTTP Request request.url name resolution (GHSA-jp82-jpqv-5vv3)
vuldb·2026-06-22·CVSS 3.7
CVE-2026-54282 [LOW] Kludex starlette up to 1.2.x HTTP Request request.url name resolution (GHSA-jp82-jpqv-5vv3)
A vulnerability identified as problematic has been detected in Kludex starlette up to 1.2.x. This affects the function request.url of the component HTTP Request Handler. Performing a manipulation results in incorrectly-resolved name.
This vulnerability is cataloged as CVE-2026-54282. It is possible to initiate the attack remotely. There is no exploit available.
You should upgrade the affected component.
GHSA
Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname
ghsa·2026-06-15
CVE-2026-54282 [LOW] CWE-20 Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname
Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname
### Summary
In affected versions, the HTTP request path is not validated before being used to reconstruct `request.url`. Because `request.url` is rebuilt by concatenating `{scheme}://{host}{path}` and re-parsing the result, a path that does not begin with `/` (for example `@google.com`) moves the authority boundary during re-parsing, so `request.url.hostname` and `request.url.netloc` become attacker-controlled. Code that reads `request.url.hostname` (rather than the `Host` header or `scope`) can therefore be misled into trusting an attacker-supplied host.
### Details
When a client requests a path that does not start with `/`:
```http
GET @google.com HTTP/1.1
Host: localhost
```
affected versi
Red Hat
starlette: Starlette: Information disclosure due to improper HTTP request path validation
vendor_redhat·2026-06-22·CVSS 5.3
CVE-2026-54282 [MEDIUM] CWE-1286 starlette: Starlette: Information disclosure due to improper HTTP request path validation
starlette: Starlette: Information disclosure due to improper HTTP request path validation
Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.
A flaw was found in Starlette, a lightweight Asynchronous Server Gateway Interface (ASGI) frame
No detection rules found.
No public exploits indexed.
2026-06-22
Published