PYSEC-2026-2196

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/litestar/PYSEC-2026-2196.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2196
Aliases
Published
2026-02-09T20:15:57.177Z
Modified
2026-07-13T07:15:34.259035891Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.

References

Affected packages

PyPI / litestar

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.20.0

Affected versions

1.*
1.0.0a0
2.*
2.0.0a3
2.0.0a4
2.0.0a5
2.0.0a6
2.0.0a7
2.0.0b1
2.0.0b2
2.0.0b3
2.0.0b4
2.0.0rc1
2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.7.0
2.7.1
2.7.2
2.8.0
2.8.1
2.8.2
2.8.3
2.9.0
2.9.1
2.10.0
2.11.0
2.12.0
2.12.1
2.13.0
2.14.0
2.15.0
2.15.1
2.15.2
2.16.0
2.17.0
2.18.0
2.19.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/litestar/PYSEC-2026-2196.yaml"