Loading...
Loading...
A critical vulnerability dubbed “BadHost” (CVE-2026-48710) in Starlette — the ASGI framework underlying FastAPI and many Python AI tooling stacks — lets attackers bypass path-based authorization by manipulating the HTTP Host header. Affecting Starlette versions before 1.0.1, the trivial-to-exploit bug can expose Model Context Protocol (MCP) endpoints that store credentials and connectors for AI agents, enabling data exfiltration, SSRF, and possible remote code execution. The flaw endangers millions of AI agents and services (vLLM, LiteLLM, OpenAI-shim proxies, dashboards, and more). Fixes and scanning tools are available; operators are urged to patch immediately and audit exposed services.
BadHost undercuts a core web-framework trust assumption used by FastAPI and many Python AI stacks, enabling trivial bypasses of path-based authorization. Tech teams running AI agents, connectors, or MCP endpoints must treat this as an immediate risk to credentials, data, and service integrity.
Dossier last updated: 2026-05-27 09:50:57
CVE-2026-48710 Starlette Host-Header Auth Bypass
Critical CVE-2026-48710 (BadHost) was disclosed by X41 D-Sec after an OSTIF audit: Starlette versions prior to 1.0.1 build request.url directly from the Host header without sanitization, allowing attackers to craft Host values that change request.url.path and bypass path-based authentication middleware. Thousands of FastAPI and Starlette apps — including vLLM, LiteLLM, MCP servers and AI agent frameworks — may be affected. Fixes: upgrade to Starlette 1.0.1+, avoid path-based auth in middleware (use endpoint decorators/Depends/Security), deploy an RFC-compliant reverse proxy to normalize Host, or use ASGI scope["path"] in middleware. Project owners should scan code for request.url.path usage in middleware and test ASGI deployments behind proxies.
A critical vulnerability in Starlette — the ASGI framework underlying FastAPI and many Python AI tooling stacks — allowed attackers to bypass path-based authorization by injecting a single character into the HTTP Host header. Tracked as CVE-2026-48710 and dubbed “BadHost,” the flaw affected Starlette versions prior to 1.0.1 and was described as trivial to exploit against servers without proper firewalling. Researchers warn the bug exposes credentials and sensitive data across MCP servers and numerous AI agents and services (vLLM, LiteLLM, Text Generation Inference, OpenAI-shim proxies, agent harnesses, eval dashboards, model UIs), enabling data exfiltration, SSRF, and potential remote code execution. Fixes were released and security firms published scanning tools; stakeholders are urged to patch and audit exposed services immediately.
A critical vulnerability in the Starlette open-source ASGI framework imperils millions of AI agents and services by allowing trivial remote breaches of servers that host model context protocol (MCP) endpoints. Starlette — the async foundation used by FastAPI and thousands of dependent projects with some 325 million weekly downloads — exposes ASGI endpoints that can grant attackers access to MCP servers, which store credentials and connectors for AI agents to reach email, calendars, databases and other external systems. The flaw matters because compromised MCP servers give adversaries broad access to sensitive third-party accounts and data across the AI tooling ecosystem, magnifying risk across numerous Python-based web services. Remediation and patching across dependent projects is urgent.