A critical authentication bypass vulnerability tracked as CVE-2026-48710 and named "BadHost" has been disclosed in Starlette, the ASGI framework underlying FastAPI, vLLM, LiteLLM, MCP servers, and the broader Python-based AI agent ecosystem that includes OpenAI-compatible infrastructure. The flaw arises from Starlette versions prior to 1.0.1 failing to validate the HTTP Host header before using it to reconstruct request URLs: an attacker sending a crafted Host header such as "example.com/health?x=" causes authentication middleware relying on request.url.path to see a spoofed public-looking path, bypassing access controls entirely. MCP (Model Context Protocol) servers are particularly at risk because the specification mandates unauthenticated OAuth discovery endpoints, providing attackers with a predictable bypass target; successful exploitation can expose API keys, restricted LLM endpoints, internal agent tooling, and in some cases enable remote code execution. The vulnerability was discovered by X41 D-Sec during an OSTIF-sponsored audit and coordinated advisories were published on May 22, 2026; Starlette has over 400,000 dependent GitHub repositories and 325 million weekly downloads. Organizations are urged to upgrade Starlette to version 1.0.1 or later, replace request.url.path with scope["path"] in middleware, and deploy a validating reverse proxy in front of ASGI applications.
- Attackers Can Exploit BadHost to Access Sensitive AI Agent Serve(opens in a new tab)
- BadHost (CVE-2026-48710): One Rogue Header Line Unlocks Your Ent(opens in a new tab)
- BadHost Vulnerability Exposes Sensitive AI Agent Server Endpoint(opens in a new tab)
- Worrying open-source security issue 'BadHost' could affect milli(opens in a new tab)
- A vulnerability in the open-source package 'Starlette,' which is(opens in a new tab)
- Starlette Vulnerability Exposes AI Agent Endpoints | Let's Data (opens in a new tab)