LCORE-2360: CVE-2026-48710

[tisnik]

Description

LCORE-2360: CVE-2026-48710

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement
• Benchmarks improvement

Tools used to create PR

• Assisted-by: N/A
• Generated by: N/A

Related Tickets & Documents

• Related Issue #LCORE-2360

Summary by CodeRabbit

• Chores
  • Updated Starlette framework dependency to version 1.1.0.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 128e44cb-f5ae-496f-8bb0-95d6754cf1f5

📥 Commits

Reviewing files that changed from the base of the PR and between 397acf1 and 6f272f7.

📒 Files selected for processing (1)

• .konflux/requirements.hashes.source.txt

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (16)

• GitHub Check: build-pr
• GitHub Check: Pylinter
• GitHub Check: integration_tests (3.12)
• GitHub Check: integration_tests (3.13)
• GitHub Check: unit_tests (3.12)
• GitHub Check: mypy
• GitHub Check: unit_tests (3.13)
• GitHub Check: spectral
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: E2E Tests for Lightspeed Evaluation job
• GitHub Check: E2E: server mode / ci / group 1
• GitHub Check: E2E: server mode / ci / group 2
• GitHub Check: E2E: library mode / ci / group 3
• GitHub Check: E2E: library mode / ci / group 2
• GitHub Check: E2E: library mode / ci / group 1
• GitHub Check: E2E: server mode / ci / group 3

🔇 Additional comments (1)

.konflux/requirements.hashes.source.txt (1)

1035-1037: ⚖️ Poor tradeoff

Update Starlette pin for CVE-2026-48710; review 1.1.0 breaking behavior risks

In .konflux/requirements.hashes.source.txt (lines 1035-1037), the starlette==1.1.0 pin and SHA256 hashes match the corresponding lock data, and Starlette 1.1.0 includes the fix for CVE-2026-48710 (“BadHost”) via Host-header validation (patched starting in 1.0.1).

Potential breaking/behavior changes in Starlette 1.1.0 to audit for in this app:

• FileResponse: fallback media type changed to application/octet-stream
• HTTPEndpoint: only standard HTTP verbs are dispatched
• StaticFiles: absolute paths are rejected in lookup_path

starlette==1.1.0 \
    --hash=sha256:7f0dfd38e428aad5cb6f9f667f0ca1d2d8ca3f3385dccac8305f79ec98458382 \
    --hash=sha256:e83c7fe0ddecd8719c5b840080325aec0260acec86e9832899e377b91d65e90f

---

Walkthrough

Starlette dependency pinned in .konflux/requirements.hashes.source.txt is updated from version 1.0.0 to 1.1.0, with corresponding SHA256 hash values replaced to match the new release.

Changes

Starlette Dependency Update

Layer / File(s)	Summary
Starlette version and hash update .konflux/requirements.hashes.source.txt	Starlette version constraint bumped from 1.0.0 to 1.1.0 with both associated --hash= values updated to match the new release.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• lightspeed-core/lightspeed-stack#1790: Bumps a different pinned dependency (cachetools) in the same .konflux/requirements.hashes.source.txt file with updated SHA256 hashes.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references CVE-2026-48710 and ticket LCORE-2360, which aligns with the PR's stated objective to address this CVE by updating the Starlette dependency.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}