Back

Starlette Vulnerability Allows Path Injection via Host Header

Severity: Medium (Score: 57.8)

Sources: osv.dev, x41-dsec.de

Published: 2026-05-27 · Updated: 2026-05-27

Keywords: requested, host, header, starlette, reconstructs, based, http

Summary

A vulnerability in Starlette, a Python ASGI framework, allows attackers to manipulate the Host header, leading to potential authentication bypass and other security issues. The flaw arises from Starlette's failure to validate the Host header value, enabling path injection into the reconstructed URL. This inconsistency can affect middleware implementations in various open-source projects that rely on the request.url for security checks. The vulnerability has been assigned the identifier PYSEC-2026-161. Affected systems include those using Starlette and FastAPI. A proof of concept (PoC) has been created, and a patch was publicly released on May 21, 2026. Security professionals are advised to review their implementations and apply the patch promptly. Key Points: • Starlette's Host header validation flaw can lead to authentication bypass. • The vulnerability affects middleware in popular open-source projects relying on request.url. • A patch was released on May 21, 2026, following the identification of the issue.

Detailed Analysis

**Impact** Organizations using Starlette or FastAPI frameworks are affected, including those in sectors relying on Python asynchronous web services globally. The vulnerability allows attackers to bypass authentication and potentially execute remote code, risking unauthorized access and data compromise. Middleware relying on the reconstructed URL path for security enforcement is particularly vulnerable, increasing the scope of impact on web applications. **Technical Details** The attack exploits the lack of validation on the HTTP Host header in Starlette, enabling path injection that alters the reconstructed URL path used by middleware and endpoints. Routing is based on the actual request path, causing inconsistent URL interpretation that can be leveraged for authentication bypass, SSRF, and remote code execution. The issue is tracked as GHSA-86qp-5c8j-p5mr, with a proof of concept developed by X41 D-Sec. The vulnerability was identified in January 2026, patched by the vendor in May 2026, and publicly disclosed shortly after. **Recommended Response** Apply the vendor patch released on 2026-05-21 immediately to validate Host headers and prevent path injection. Review and update middleware and security controls that rely on request.url.path to ensure they use the actual request path instead. Monitor HTTP Host headers for malformed values indicative of exploitation attempts. If patching is not immediately possible, implement strict input validation and logging of Host headers to detect suspicious activity.

Source articles (2)

  • X41 2026 002 Starlette — x41-dsec.de · 2026-05-27
    Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths i…
  • PYSEC-2026-161 — osv.dev · 2026-05-27
    Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths i…

Timeline

  • 2026-01-27 — Issue identified during code audit: The vulnerability was discovered during an unrelated source code audit of Starlette.
  • 2026-02-04 — PoC created and vendor contacted: A proof of concept was developed and shared with the vendor for review.
  • 2026-03-01 — Patch proposed by the vendor: The vendor proposed a patch to address the identified vulnerability in Starlette.
  • 2026-05-21 — Patch publicly released: The vendor released a public patch to fix the vulnerability in Starlette.
  • 2026-05-27 — Advisory released: An advisory detailing the vulnerability and its implications was published.

Related entities

  • Zero-day Exploit (Attack Type)
  • CWE-20 - Improper Input Validation (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-918 - Server-Side Request Forgery (ssrf) (Cwe)
  • FastAPI (Tool)
  • Starlette (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed