Loading...
Loading...
A critical vulnerability, CVE-2026-48710 (“BadHost”), was disclosed in Starlette versions before 1.0.1 where request.url is rebuilt from an attacker-controlled Host header. That allowed simple Host manipulations to alter request.url.path and bypass middleware that enforces path-based authorization—affecting many FastAPI and ASGI-based AI tools and services. Maintainters say the root cause is risky application patterns and deployment gaps (missing proxies/CDNs) rather than core routing, but the ecosystem impact warranted coordinated disclosure. Mitigations include upgrading to Starlette 1.0.1+, avoiding path-based auth in middleware, using ASGI scope["path"] or endpoint-level security, and deploying RFC-compliant reverse proxies and audits.
BadHost (CVE-2026-48710) affects Starlette versions before 1.0.1 and can let attackers bypass path-based authorization by manipulating the Host header. Tech teams using FastAPI or ASGI stacks should assess exposure, deployment topology, and middleware assumptions to avoid unauthorized access.
Dossier last updated: 2026-06-01 19:02:22
A Starlette maintainer explains CVE-2026-48710, a vulnerability where request.url is reconstructed from an attacker-controlled Host header, letting middleware that authorizes based on request.url.path be bypassed. The router itself dispatches on the raw HTTP path, so routing is correct; the flaw arises when applications derive authorization from the reconstructed URL and when deployments lack fronting components (CDNs, gateways) that validate Host. The maintainer argues this is an application pattern and deployment issue rather than a core framework bug, while acknowledging the ecosystem risk that justified coordinated disclosure and the CVE. They also discuss tensions in the disclosure process and urge better practices like avoiding path-based auth.
CVE-2026-48710 Starlette Host-Header Auth Bypass
Critical CVE-2026-48710 (BadHost) was disclosed by X41 D-Sec after an OSTIF audit: Starlette versions prior to 1.0.1 build request.url directly from the Host header without sanitization, allowing attackers to craft Host values that change request.url.path and bypass path-based authentication middleware. Thousands of FastAPI and Starlette apps — including vLLM, LiteLLM, MCP servers and AI agent frameworks — may be affected. Fixes: upgrade to Starlette 1.0.1+, avoid path-based auth in middleware (use endpoint decorators/Depends/Security), deploy an RFC-compliant reverse proxy to normalize Host, or use ASGI scope["path"] in middleware. Project owners should scan code for request.url.path usage in middleware and test ASGI deployments behind proxies.
A critical vulnerability in Starlette — the ASGI framework underlying FastAPI and many Python AI tooling stacks — allowed attackers to bypass path-based authorization by injecting a single character into the HTTP Host header. Tracked as CVE-2026-48710 and dubbed “BadHost,” the flaw affected Starlette versions prior to 1.0.1 and was described as trivial to exploit against servers without proper firewalling. Researchers warn the bug exposes credentials and sensitive data across MCP servers and numerous AI agents and services (vLLM, LiteLLM, Text Generation Inference, OpenAI-shim proxies, agent harnesses, eval dashboards, model UIs), enabling data exfiltration, SSRF, and potential remote code execution. Fixes were released and security firms published scanning tools; stakeholders are urged to patch and audit exposed services immediately.