CVE-2026-48817
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
A vulnerability in Starlette versions 1.0.1 and below allows an attacker to invoke internal methods not intended for HTTP request handling by using non-standard HTTP verbs. The issue stems from the lack of restriction on allowed HTTP methods when registering an endpoint via Route(...) without explicitly setting the methods= parameter.
Risk Assessment
An attacker can bypass authorization mechanisms and access internal application functions that should not be externally accessible, potentially leading to unauthorized data disclosure or privilege escalation.
Recommendation
Immediately update Starlette to version 1.1.0 or later. If an update is not possible, always explicitly specify the methods= parameter with a list of allowed HTTP verbs when registering endpoints via Route(...).
Original NVD description (English source)
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an HTTPEndpoint subclass is registered through Route(...) without an explicit methods= argument, the route does not constrain the method and every method reaches the endpoint. If a non-standard HTTP method whose lowercased name matches an attribute on the endpoint subclass reaches the endpoint, that attribute is invoked as if it were a request handler. An attacker can use this to reach methods that were never meant to be HTTP handlers, such as internal helpers, without the authorization checks applied by the intended public handler. An application (including Starlette-based frameworks like FastAPI) is affected if it registers an HTTPEndpoint subclass via Route(...) without explicitly setting methods=, and that subclass includes extra methods named like non-standard HTTP verbs that take one request argument and return a response. This issue has been fixed in version 1.1.0.

