CVE-2026-48818 - Starlette StaticFiles UNC SSRF and NTLM leak
CVE-2026-48818 affects Starlette StaticFiles on Windows. In vulnerable
versions, a UNC path can reach os.path.realpath() before containment checks,
causing the application process to open an outbound SMB connection and leak the
service account’s NTLMv2 credentials to an attacker-controlled host. The HTTP
response may still be a harmless 404, but the credential exposure happens first.
This is Windows-specific. POSIX deployments are not affected, and the risky
shape is an app process on Windows directly serving static files through
Starlette’s default StaticFiles behavior.
When to use it
Use this recipe when a FastAPI/Starlette application serves static files from a Windows app process, especially in internal tools, model gateways, MCP servers, or agent control planes. It supports source-code/deployment remediation, Windows UNC path handling review, outbound SMB blocking, and evidence that static-file requests cannot trigger NTLM credential leakage.
Inputs
- Starlette version, FastAPI dependency tree, OS/runtime target, StaticFiles mounts, static roots, outbound SMB policy, and service account privileges.
- Source/config paths that mount
StaticFiles, normalize paths, run on Windows, configure reverse proxies/CDNs, or set service account identities. - Regression fixtures for UNC-like paths, normal static files, denied outbound SMB, moved static serving, and fixed Starlette behavior.
- Boundary evidence: affected Windows hosts, service account identity, egress firewall rules, static roots, logs, and rollout owner.
Affected versions
- Vulnerable:
starlette < 1.1.0 - Fixed:
1.1.0+ - Affected runtime: Windows with
StaticFilesand defaultfollow_symlink=False
Indicator-of-exposure
- The repository resolves
starlette < 1.1.0. - The deployment runs on Windows.
- The app mounts or serves
StaticFiles, directly or through a framework such as FastAPI. - Outbound SMB/445 is allowed from the application host.
Quick checks:
rg -n "StaticFiles\\(|Mount\\(|mount\\(.*StaticFiles|fastapi.staticfiles|starlette.staticfiles" .
python -m pip show starlette fastapi
Windows:
rg -n "StaticFiles\\(|Mount\\(|mount\\(.*StaticFiles|fastapi.staticfiles|starlette.staticfiles" .
python -m pip show starlette fastapi
Do not point the service at attacker-controlled UNC paths or leak real NTLM material during validation.
Remediation strategy
- Upgrade Starlette to
1.1.0+. - On Windows, prefer serving static assets from IIS, nginx, or another
dedicated web server instead of
StaticFilesin the app process. - Block outbound SMB/445 from the application host as a containment layer.
- Review service accounts and rotate credentials if exposed Windows instances were internet-reachable.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-48818 / GHSA-wqp7-x3pw-xc5r, a Windows-only
Starlette `StaticFiles` issue that can trigger outbound SMB and leak NTLMv2
credentials through UNC path resolution. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Starlette, hardens Windows
static-file serving, adds safe regression checks, and documents operator
follow-up, or
- TRIAGE.md if this repository does not control an affected Windows Starlette
deployment.
## Rules
- Scope only CVE-2026-48818 and directly related `StaticFiles` usage.
- Treat Windows service-account credentials, NTLM material, and internal host
names as sensitive.
- Do not trigger outbound SMB to attacker-controlled hosts.
- Do not auto-merge.
## Steps
1. Inventory every Starlette/FastAPI app, dependency, image, and deployment
target controlled here.
2. Determine whether any resolved `starlette` version is below `1.1.0`.
3. Identify whether any deployment runs on Windows and serves files through
`StaticFiles`.
4. If no controlled affected runtime exists, stop with `TRIAGE.md`.
5. Upgrade Starlette to `1.1.0+` and refresh dependency artifacts.
6. Move Windows static serving behind a dedicated web server where feasible, or
otherwise document the remaining application-host risk.
7. Add containment by blocking outbound SMB from application hosts where this
repository controls infrastructure policy.
8. Add safe regression checks that verify patched versions and avoid
app-process static serving on Windows where policy forbids it.
9. Add a PR body section named `CVE-2026-48818 operator actions` covering
versions before and after, whether Windows hosts were affected, whether
outbound SMB was blocked, and whether credential rotation is needed.
10. Run relevant validation: package install, tests, deployment config checks,
linting, and dependency/security scans.
11. Use PR title:
`fix(sec): remediate CVE-2026-48818 in Starlette StaticFiles`.
## Stop conditions
- No affected Windows Starlette deployment is controlled here.
- Verification would require triggering outbound SMB to a live remote host.
- Static file serving is owned by another platform team outside this repo.
Output contract
- A reviewer-ready PR or change request that upgrades Starlette, moves static serving off Windows app processes where possible, blocks outbound SMB, adds UNC regression checks, and documents rollout.
- Or a
TRIAGE.mdfile that lists inspected files/config, owner, observed version, Windows static-file boundary, SMB egress, required fix, and residual risk. - The output must include exact validation commands and must not leak real NTLM hashes, contact attacker SMB hosts from production, or expose service account data.
Verification - what the reviewer looks for
- No controlled install resolves
starlette < 1.1.0. - Windows deployments no longer serve static files through the vulnerable in-process pattern, or documented containment exists.
- Outbound SMB is blocked where infrastructure is under repository control.
Watch for
- Fixing Linux containers while forgetting Windows developer or on-prem hosts.
- Assuming FastAPI is unaffected because the direct import is
fastapi. - Leaving service-account credential rotation undocumented after exposure.
Related recipes
- Source code secrets and data exposure audit
- Source code attack surface map
- OWASP Top 10 2026 audit
- NIST SSDF repository evidence check
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-wqp7-x3pw-xc5r
- Starlette advisory: https://github.com/Kludex/starlette/security/advisories/GHSA-wqp7-x3pw-xc5r