Bug 2491467 (CVE-2026-54282)

Summary: CVE-2026-54282 starlette: Starlette: Information disclosure due to improper HTTP request path validation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adudiak, alinfoot, anpicker, anthomas, aprice, bbrownin, bparees, dfreiber, drow, dschmidt, dtrifiro, ehelms, erezende, ggainey, hasun, ilpinto, jburrell, jdobes, jfula, jkoehler, jlanda, jowilson, jpasqual, jsamir, juwatts, jwong, kaycoth, kshier, lphiri, ltomasbo, mbarnett, mhayden, mhulan, nmoumoul, nyancey, oezr, omaciel, ometelka, orabin, osousa, pcreech, prwatson, ptisnovs, rbryant, rchan, rjohnson, sdoran, simaishi, smallamp, stcannon, syedriko, teagle, tmalecek, ttakamiy, vkumar, weaton, xdharmai, yguenane, ykashtan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Starlette, a lightweight Asynchronous Server Gateway Interface (ASGI) framework. Prior to version 1.3.0, the HTTP request path was not properly validated when reconstructing the `request.url`. A remote attacker could craft a malicious HTTP request path that does not begin with a forward slash, causing the framework to misinterpret the authority boundary. This could lead to `request.url.hostname` and `request.url.netloc` becoming attacker-controlled, potentially misleading applications that rely on these values into trusting an attacker-supplied host.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-22 18:03:07 UTC
Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.