A single malformed character in a web request can let an unauthenticated attacker slip past the access controls that guard applications built on Starlette, the open-source Python framework that powers FastAPI, researchers said.
The flaw, tracked as CVE-2026-48710 could allow attackers to bypass host-validation protections using malformed Host headers, according to an advisory from cybersecurity firm X41 D-Sec.
The attacker needs no password and no action from a victim, it said.
Starlette’s maintainer released a patch through an official GitHub security advisory after X41 D-Sec disclosed the vulnerability in coordination with the Open Source Technology Improvement Fund (OSTIF). They found the...