Bug 2490020 (CVE-2026-48818) - CVE-2026-48818 starlette: Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows
Summary: CVE-2026-48818 starlette: Starlette: SSRF and NTLM credential theft via UNC p...
Keywords:
Status: NEW
Alias: CVE-2026-48818
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-17 19:04 UTC by OSIDB Bzimport
Modified: 2026-06-17 22:25 UTC (History)
59 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-17 19:04:09 UTC 
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.
Note You need to log in before you can comment on or make changes to this bug.