A critical authentication-bypass vulnerability tracked as CVE-2026-48710, dubbed 'BadHost', has been disclosed in Starlette versions prior to 1.0.1, the ASGI framework that underpins FastAPI-based AI infrastructure. The flaw arises from unsafe handling of the HTTP Host header, allowing attackers to forge header values that cause middleware to misidentify the request path, bypassing authentication and authorization controls. Platforms explicitly named at risk include vLLM, LiteLLM, Ray Serve, BentoML, Google ADK-Python, and MCP (Model Context Protocol) servers — components of the AI ecosystem commonly used to build and proxy LLM-powered services such as ChatGPT integrations and agent frameworks. Successful exploitation can expose restricted LLM endpoints, extract API keys and credentials, and enable unauthorized interaction with internal agent tooling. The vulnerability was discovered by X41 D-Sec during an OSTIF-sponsored audit and a patch is available in Starlette 1.0.1; operators are advised to upgrade immediately and avoid using request.url.path for security decisions in middleware.
- Attackers Can Exploit BadHost to Access Sensitive AI Agent Serve(opens in a new tab)
- BadHost vulnerability bypasses authentication on AI infrastructu(opens in a new tab)
- Worrying open-source security issue 'BadHost' could affect milli(opens in a new tab)
- Millions of AI brokers imperiled by essential vulnerability in o(opens in a new tab)