CVE-2026-48818 - Starlette StaticFiles UNC SSRF and NTLM leak

CVE-2026-48818 affects Starlette StaticFiles on Windows. In vulnerable versions, a UNC path can reach os.path.realpath() before containment checks, causing the application process to open an outbound SMB connection and leak the service account’s NTLMv2 credentials to an attacker-controlled host. The HTTP response may still be a harmless 404, but the credential exposure happens first.

This is Windows-specific. POSIX deployments are not affected, and the risky shape is an app process on Windows directly serving static files through Starlette’s default StaticFiles behavior.

When to use it

Use this recipe when a FastAPI/Starlette application serves static files from a Windows app process, especially in internal tools, model gateways, MCP servers, or agent control planes. It supports source-code/deployment remediation, Windows UNC path handling review, outbound SMB blocking, and evidence that static-file requests cannot trigger NTLM credential leakage.

Inputs

  • Starlette version, FastAPI dependency tree, OS/runtime target, StaticFiles mounts, static roots, outbound SMB policy, and service account privileges.
  • Source/config paths that mount StaticFiles, normalize paths, run on Windows, configure reverse proxies/CDNs, or set service account identities.
  • Regression fixtures for UNC-like paths, normal static files, denied outbound SMB, moved static serving, and fixed Starlette behavior.
  • Boundary evidence: affected Windows hosts, service account identity, egress firewall rules, static roots, logs, and rollout owner.

Affected versions

  • Vulnerable: starlette < 1.1.0
  • Fixed: 1.1.0+
  • Affected runtime: Windows with StaticFiles and default follow_symlink=False

Indicator-of-exposure

  • The repository resolves starlette < 1.1.0.
  • The deployment runs on Windows.
  • The app mounts or serves StaticFiles, directly or through a framework such as FastAPI.
  • Outbound SMB/445 is allowed from the application host.

Quick checks:

rg -n "StaticFiles\\(|Mount\\(|mount\\(.*StaticFiles|fastapi.staticfiles|starlette.staticfiles" .
python -m pip show starlette fastapi

Windows:

rg -n "StaticFiles\\(|Mount\\(|mount\\(.*StaticFiles|fastapi.staticfiles|starlette.staticfiles" .
python -m pip show starlette fastapi

Do not point the service at attacker-controlled UNC paths or leak real NTLM material during validation.

Remediation strategy

  • Upgrade Starlette to 1.1.0+.
  • On Windows, prefer serving static assets from IIS, nginx, or another dedicated web server instead of StaticFiles in the app process.
  • Block outbound SMB/445 from the application host as a containment layer.
  • Review service accounts and rotate credentials if exposed Windows instances were internet-reachable.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-48818 / GHSA-wqp7-x3pw-xc5r, a Windows-only
Starlette `StaticFiles` issue that can trigger outbound SMB and leak NTLMv2
credentials through UNC path resolution. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Starlette, hardens Windows
  static-file serving, adds safe regression checks, and documents operator
  follow-up, or
- TRIAGE.md if this repository does not control an affected Windows Starlette
  deployment.

## Rules

- Scope only CVE-2026-48818 and directly related `StaticFiles` usage.
- Treat Windows service-account credentials, NTLM material, and internal host
  names as sensitive.
- Do not trigger outbound SMB to attacker-controlled hosts.
- Do not auto-merge.

## Steps

1. Inventory every Starlette/FastAPI app, dependency, image, and deployment
   target controlled here.
2. Determine whether any resolved `starlette` version is below `1.1.0`.
3. Identify whether any deployment runs on Windows and serves files through
   `StaticFiles`.
4. If no controlled affected runtime exists, stop with `TRIAGE.md`.
5. Upgrade Starlette to `1.1.0+` and refresh dependency artifacts.
6. Move Windows static serving behind a dedicated web server where feasible, or
   otherwise document the remaining application-host risk.
7. Add containment by blocking outbound SMB from application hosts where this
   repository controls infrastructure policy.
8. Add safe regression checks that verify patched versions and avoid
   app-process static serving on Windows where policy forbids it.
9. Add a PR body section named `CVE-2026-48818 operator actions` covering
   versions before and after, whether Windows hosts were affected, whether
   outbound SMB was blocked, and whether credential rotation is needed.
10. Run relevant validation: package install, tests, deployment config checks,
    linting, and dependency/security scans.
11. Use PR title:
    `fix(sec): remediate CVE-2026-48818 in Starlette StaticFiles`.

## Stop conditions

- No affected Windows Starlette deployment is controlled here.
- Verification would require triggering outbound SMB to a live remote host.
- Static file serving is owned by another platform team outside this repo.

Output contract

  • A reviewer-ready PR or change request that upgrades Starlette, moves static serving off Windows app processes where possible, blocks outbound SMB, adds UNC regression checks, and documents rollout.
  • Or a TRIAGE.md file that lists inspected files/config, owner, observed version, Windows static-file boundary, SMB egress, required fix, and residual risk.
  • The output must include exact validation commands and must not leak real NTLM hashes, contact attacker SMB hosts from production, or expose service account data.

Verification - what the reviewer looks for

  • No controlled install resolves starlette < 1.1.0.
  • Windows deployments no longer serve static files through the vulnerable in-process pattern, or documented containment exists.
  • Outbound SMB is blocked where infrastructure is under repository control.

Watch for

  • Fixing Linux containers while forgetting Windows developer or on-prem hosts.
  • Assuming FastAPI is unaffected because the direct import is fastapi.
  • Leaving service-account credential rotation undocumented after exposure.

References