CVE Catalog

CVE-2026-48818

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

29th percentile — higher than 29% of all known CVEs

Summary

A vulnerability in Starlette 1.0.1 and earlier on Windows allows SSRF via UNC path. When the server validates the path, it sends an SMB request to the attacker, leaking NTLMv2 credentials. The issue affects default follow_symlink=False deployments, including frameworks like FastAPI.

Risk Assessment

An attacker can capture the service account's NTLMv2 credentials for offline cracking or relay attacks, potentially gaining unauthorized access to network resources.

Recommendation

Upgrade Starlette to version 1.1.0 or later immediately. If upgrade is not possible, consider disabling static file serving on Windows or implementing network controls to block outbound SMB traffic.

Original NVD description (English source)

Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS