Summary When serving static files on Windows, StaticFiles resolves the requested path with [os.path.realpath](https://docs.python.org/3/library/os.path.html#os.path.realpath). If a UNC path (such as \\attacker.com\share…
| CVE ID | CVE-2026-48818 |
| Vendor | pip |
| Affected Product | starlette |
| Vulnerability Type | Vulnerability |
| CVSS Score | 7.5 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
StaticFiles resolves the requested path with [os.path.realpath](https://docs.python.org/3/library/os.path.html#os.path.realpath). If a UNC path (such as \\attacker.com\share) reaches the resolver, realpath causes the process to open a connection to the remote host over SMB (port 445). This is a server-side request forgery (SSRF) that leaks the service account's NTLMv2 credentials to the attacker-controlled host, which can then be cracked offline or relayed to other hosts.StaticFiles.lookup_path() joins the requested path onto the served directory and calls [os.path.realpath](https://docs.python.org/3/library/os.path.html#os.path.realpath) on the result before checking containment with [os.path.commonpath](https://Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.