CVE-2026-48710
Description
Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 ยง3.2 / RFC 3986 ยง3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-48710",
"cveTags": [],
"metrics": {
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-48710",
"role": "CISA Coordinator",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"version": "2.0.3",
"timestamp": "2026-05-27T14:22:19.241769Z"
}
}
],
"cvssMetricV31": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 6.5,
"attackVector": "NETWORK",
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"integrityImpact": "LOW",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"privilegesRequired": "NONE",
"confidentialityImpact": "LOW"
},
"impactScore": 2.5,
"exploitabilityScore": 3.9
},
{
"type": "Primary",
"source": "nvd@nist.gov",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 6.5,
"attackVector": "NETWORK",
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"integrityImpact": "LOW",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"privilegesRequired": "NONE",
"confidentialityImpact": "LOW"
},
"impactScore": 2.5,
"exploitabilityScore": 3.9
},
{
"type": "Secondary",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 6.5,
"attackVector": "NETWORK",
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"integrityImpact": "LOW",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "NONE",
"privilegesRequired": "NONE",
"confidentialityImpact": "LOW"
},
"impactScore": 2.5,
"exploitabilityScore": 3.9
}
]
},
"affected": [
{
"source": "security-advisories@github.com",
"affectedData": [
{
"vendor": "Kludex",
"product": "starlette",
"versions": [
{
"status": "affected",
"version": "< 1.0.1"
}
]
}
]
},
{
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"affectedData": [
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat AI Inference Server 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782353093",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhaiis/vllm-rocm-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat AI Inference Server 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782352847",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhaiis/vllm-cuda-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2.6::el9"
],
"vendor": "Red Hat",
"product": "Red Hat Ansible Automation Platform 2.6",
"versions": [
{
"status": "unaffected",
"version": "1780102732",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "ansible-automation-platform-26/lightspeed-chatbot-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2.7::el9"
],
"vendor": "Red Hat",
"product": "Red Hat Ansible Automation Platform 2.7",
"versions": [
{
"status": "unaffected",
"version": "1780099185",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "ansible-automation-platform-27/lightspeed-chatbot-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782997656",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-feature-server-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782471672",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782471731",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782471732",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782471849",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782471734",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782991170",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-training-cuda128-torch29-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782472374",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782471796",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782471661",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782471753",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782471740",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782471834",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.3::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.3",
"versions": [
{
"status": "unaffected",
"version": "1782471730",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782132126",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-llama-stack-core-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782132686",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782132403",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782132444",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782132767",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782132493",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782132379",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782133907",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-trustyai-garak-lls-provider-dsp-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782420349",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-trustyai-nemo-guardrails-server-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782133865",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782133337",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782132473",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782132660",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782301637",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782132564",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai:3.4::el9"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI 3.4",
"versions": [
{
"status": "unaffected",
"version": "1782135300",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6.18::el9"
],
"vendor": "Red Hat",
"product": "Red Hat Satellite 6.18",
"versions": [
{
"status": "unaffected",
"version": "1780492008",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "satellite/foreman-mcp-server-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6.18::el9"
],
"vendor": "Red Hat",
"product": "Red Hat Satellite 6.18",
"versions": [
{
"status": "unaffected",
"version": "1780414237",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "satellite/iop-host-inventory-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6.19::el9"
],
"vendor": "Red Hat",
"product": "Red Hat Satellite 6.19",
"versions": [
{
"status": "unaffected",
"version": "1780492012",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "satellite/foreman-mcp-server-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6.19::el9"
],
"vendor": "Red Hat",
"product": "Red Hat Satellite 6.19",
"versions": [
{
"status": "unaffected",
"version": "1782139619",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "satellite/iop-vmaas-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6.19::el9"
],
"vendor": "Red Hat",
"product": "Red Hat Satellite 6.19",
"versions": [
{
"status": "unaffected",
"version": "1780403026",
"lessThan": "*",
"versionType": "rpm"
}
],
"packageName": "satellite/iop-host-inventory-rhel9",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:exploit_intelligence:0"
],
"vendor": "Red Hat",
"product": "Exploit Intelligence",
"packageName": "exploit-intelligence-tech-preview/vulnerability-analysis-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:migration_toolkit_applications:8"
],
"vendor": "Red Hat",
"product": "Migration Toolkit for Applications 8",
"packageName": "mta/mta-solution-server-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"vendor": "Red Hat",
"product": "OpenShift Lightspeed",
"packageName": "openshift-lightspeed/lightspeed-ocp-rag-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_lightspeed"
],
"vendor": "Red Hat",
"product": "OpenShift Lightspeed",
"packageName": "openshift-lightspeed/lightspeed-service-api-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3"
],
"vendor": "Red Hat",
"product": "Red Hat AI Inference Server",
"packageName": "rhaiis/vllm-cpu-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3"
],
"vendor": "Red Hat",
"product": "Red Hat AI Inference Server",
"packageName": "rhaiis/vllm-neuron-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3"
],
"vendor": "Red Hat",
"product": "Red Hat AI Inference Server",
"packageName": "rhaiis/vllm-spyre-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3"
],
"vendor": "Red Hat",
"product": "Red Hat AI Inference Server",
"packageName": "rhaiis/vllm-tpu-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3"
],
"vendor": "Red Hat",
"product": "Red Hat AI Inference Server",
"packageName": "rhaii/vllm-cpu-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3"
],
"vendor": "Red Hat",
"product": "Red Hat AI Inference Server",
"packageName": "rhaii/vllm-gaudi-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3"
],
"vendor": "Red Hat",
"product": "Red Hat AI Inference Server",
"packageName": "rhaii/vllm-neuron-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3"
],
"vendor": "Red Hat",
"product": "Red Hat AI Inference Server",
"packageName": "rhaii/vllm-spyre-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:ai_inference_server:3"
],
"vendor": "Red Hat",
"product": "Red Hat AI Inference Server",
"packageName": "rhaii/vllm-tpu-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"vendor": "Red Hat",
"product": "Red Hat Ansible Automation Platform 2",
"packageName": "ansible-automation-platform-25/lightspeed-chatbot-rhel8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected"
},
{
"cpes": [
"cpe:/a:redhat:ansible_automation_platform:2"
],
"vendor": "Red Hat",
"product": "Red Hat Ansible Automation Platform 2",
"packageName": "ansible-automation-platform-26/mcp-tools-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"packageName": "rhelai3/bootc-aws-cuda-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"packageName": "rhelai3/bootc-azure-cuda-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"packageName": "rhelai3/bootc-azure-rocm-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"packageName": "rhelai3/bootc-cuda-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"packageName": "rhelai3/bootc-gaudi-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"packageName": "rhelai3/bootc-gcp-cuda-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"packageName": "rhelai3/bootc-rocm-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:enterprise_linux_ai:3"
],
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
"packageName": "rhelai3/disk-image-cuda-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-automl-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-built-in-detector-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-caikit-nlp-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-caikit-tgis-serving-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-guardrails-detector-huggingface-runtime-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-kserve-agent-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-kserve-autogluon-server-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-kserve-controller-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-kserve-router-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-kserve-storage-initializer-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-llm-d-kv-cache-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-mlflow-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-mlserver-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-th06-cpu-torch210-py312-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-th06-cuda130-torch210-py312-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-th06-rocm64-torch291-py312-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-vllm-cuda-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-vllm-gaudi-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:openshift_ai"
],
"vendor": "Red Hat",
"product": "Red Hat OpenShift AI (RHOAI)",
"packageName": "rhoai/odh-vllm-rocm-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"vendor": "Red Hat",
"product": "Red Hat Satellite 6",
"packageName": "satellite/iop-advisor-engine-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
},
{
"cpes": [
"cpe:/a:redhat:satellite:6"
],
"vendor": "Red Hat",
"product": "Red Hat Satellite 6",
"packageName": "satellite/iop-vulnerability-engine-rhel9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "affected"
}
]
}
],
"published": "2026-05-26T22:16:44.020",
"references": [
{
"url": "https://badhost.org",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/Kludex/starlette/commit/764dab0dcfb9033d75442d7a359645c9f94648c6",
"tags": [
"Patch"
],
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr",
"tags": [
"Vendor Advisory"
],
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/starlette/PYSEC-2026-161.yaml",
"tags": [
"Third Party Advisory"
],
"source": "security-advisories@github.com"
},
{
"url": "https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"source": "security-advisories@github.com"
},
{
"url": "https://www.secwest.net/starlette",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"source": "security-advisories@github.com"
},
{
"url": "https://www.x41-dsec.de/lab/advisories/x41-2026-002-starlette",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"source": "security-advisories@github.com"
},
{
"url": "https://access.redhat.com/errata/RHSA-2026:22992",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
},
{
"url": "https://access.redhat.com/errata/RHSA-2026:22993",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
},
{
"url": "https://access.redhat.com/errata/RHSA-2026:23346",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
},
{
"url": "https://access.redhat.com/errata/RHSA-2026:24866",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
},
{
"url": "https://access.redhat.com/errata/RHSA-2026:26226",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
},
{
"url": "https://access.redhat.com/errata/RHSA-2026:30088",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
},
{
"url": "https://access.redhat.com/errata/RHSA-2026:30089",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
},
{
"url": "https://access.redhat.com/errata/RHSA-2026:34456",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
},
{
"url": "https://access.redhat.com/errata/RHSA-2026:34526",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
},
{
"url": "https://access.redhat.com/errata/RHSA-2026:34532",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
},
{
"url": "https://access.redhat.com/errata/RHSA-2026:37275",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2026-48710",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481742",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
},
{
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-48710.json",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
}
],
"vulnStatus": "Modified",
"weaknesses": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"description": [
{
"lang": "en",
"value": "CWE-444"
}
]
},
{
"type": "Secondary",
"source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"description": [
{
"lang": "en",
"value": "CWE-1289"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 \u00a73.2 / RFC 3986 \u00a73.2.2 when constructing `request.url` and falls back to `scope[\"server\"]` for malformed values."
}
],
"lastModified": "2026-07-15T02:22:23.547",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:encode:starlette:*:*:*:*:*:python:*:*",
"vulnerable": true,
"matchCriteriaId": "4C7C6045-86A6-4FAC-AE15-B12438E9D1B4",
"versionEndExcluding": "1.0.1",
"versionStartIncluding": "0.8.3"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security-advisories@github.com"
}
}