CVE-2026-48818

HIGH 7.5

Starlette: SSRF and NTLM credential theft via UNC paths in StaticFiles on Windows

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \\attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s NTLMv2 credentials for offline cracking or relay even though the HTTP response is only a 404. The issue affects default follow_symlink=False deployments, including frameworks built on Starlette such as FastAPI; POSIX systems and follow_symlink=True are unaffected. The issue is fixed in 1.1.0.

CWE	CWE-918
Vendor	kludex
Product	starlette
Published	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for kludex starlette

Be the first to know when new high vulnerabilities affecting kludex starlette are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Kludex / starlette

< 1.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Kludex/starlette/security/advisories/GHSA-wqp7-x3pw-xc5r github.com: https://github.com/Kludex/starlette/pull/3287 github.com: https://github.com/Kludex/starlette/commit/fd53168a7767b6b55ba5af787fd88f49e33cabc5 github.com: https://github.com/Kludex/starlette/releases/tag/1.1.0