CVE-2026-54282

Source
https://cve.org/CVERecord?id=CVE-2026-54282
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54282.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54282
Aliases
Downstream
Related
Published
2026-06-22T16:45:01.629Z
Modified
2026-07-08T08:12:41.261704661Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname
Details

Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating {scheme}://{host}{path} and re-parsing the result, a path that does not begin with / (for example @google.com) moves the authority boundary during re-parsing, so request.url.hostname and request.url.netloc become attacker-controlled. Code that reads request.url.hostname (rather than the Host header or scope) can therefore be misled into trusting an attacker-supplied host. This vulnerability is fixed in 1.3.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54282.json",
    "cwe_ids": [
        "CWE-706"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/kludex/starlette

Affected ranges

Type
GIT
Repo
https://github.com/kludex/starlette
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.3.0"
        }
    ]
}

Affected versions

0.*
0.1.0
0.1.1
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.10.0
0.10.1
0.10.4
0.11.1
0.11.2
0.11.3
0.11.4
0.12.0
0.12.0.b1
0.12.0.b2
0.12.0.b3
0.12.11
0.12.12
0.12.13
0.12.2
0.12.3
0.12.4
0.12.5
0.12.6
0.12.7
0.12.8
0.12.9
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.13.6
0.13.7
0.13.8
0.14.0
0.14.1
0.14.2
0.15.0
0.16.0
0.17.0
0.17.1
0.18.0
0.19.0
0.19.1
0.2.1
0.2.2
0.2.3
0.20.0
0.20.1
0.20.2
0.20.3
0.20.4
0.21.0
0.22.0
0.23.0
0.23.1
0.24.0
0.25.0
0.26.0
0.26.0.post1
0.26.1
0.27.0
0.28.0
0.29.0
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.30.0
0.31.0
0.31.1
0.32.0
0.32.0.post1
0.33.0
0.34.0
0.35.0
0.35.1
0.36.0
0.36.1
0.36.2
0.36.3
0.37.0
0.37.1
0.37.2
0.38.0
0.38.1
0.38.2
0.38.3
0.38.4
0.38.5
0.38.6
0.39.0
0.39.1
0.39.2
0.4.0
0.4.1
0.4.2
0.40.0
0.41.0
0.41.1
0.41.2
0.41.3
0.42.0
0.43.0
0.44.0
0.45.0
0.45.1
0.45.2
0.45.3
0.46.0
0.46.1
0.46.2
0.47.0
0.47.1
0.47.2
0.47.3
0.48.0
0.49.0
0.49.1
0.49.2
0.49.3
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.50.0
0.51.0
0.52.0
0.52.1
0.6.1
0.6.2
0.6.3
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.9.0
0.9.1
0.9.10
0.9.11
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
1.*
1.0.0
1.0.0rc1
1.0.1
1.1.0
1.2.0
1.2.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54282.json"