SCA: security update for starlette (GHSA-x746-7m8f-x49c)

medium Tenable Self-Hosted Container Security Plugin ID 443228

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a
request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute
with getattr, without restricting the lookup to a known set of HTTP verbs. When an HTTPEndpoint subclass
is registered through Route(...) without an explicit methods= argument, the route does not constrain the
method and every method reaches the endpoint. If a non-standard HTTP method whose lowercased name matches
an attribute on the endpoint subclass reaches the endpoint, that attribute is invoked as if it were a
request handler. An attacker can use this to reach methods that were never meant to be HTTP handlers, such
as internal helpers, without the authorization checks applied by the intended public handler. An
application (including Starlette-based frameworks like FastAPI) is affected if it registers an
HTTPEndpoint subclass via Route(...) without explicitly setting methods=, and that subclass includes extra
methods named like non-standard HTTP verbs that take one request argument and return a response. This
issue has been fixed in version 1.1.0. (CVE-2026-48817)

Solution

Update the starlette library and its related packages to version 1.1.0 or later.

See Also

https://github.com/advisories/GHSA-x746-7m8f-x49c

Plugin Details

Severity: Medium

ID: 443228

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 6/16/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2026-48817

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/15/2026

Vulnerability Publication Date: 6/15/2026

Reference Information

CVE: CVE-2026-48817

cwe: CWE-470