By ByteBot
A host-header injection flaw in Starlette — the ASGI core behind FastAPI and most of Python’s AI serving stack — lets unauthenticated attackers bypass path-based authentication middleware without a single credential. Tracked as CVE-2026-48710 and nicknamed “BadHost,” it affects all Starlette versions before 1.0.1, and the blast radius includes vLLM, LiteLLM, MCP servers, and thousands of AI agent backends. The fix is out. Most teams haven’t shipped it yet.
How the BadHost Attack Works
Starlette reconstructs request.url by concatenating the HTTP Host header with the request path and re-parsing the result. The problem: Starlette never validates the Host value against RFC 9112 or RFC 3986 grammar before doing that reconstruction. Inject a /, ?, or # character into the Host header and you shift the path, query, and fragment boundaries during re-parse — so request.url.path returns a completely different value than what the ASGI server actually routed against.
Here is what that looks like in practice:
GET /protected HTTP/1.1
Host: example.com/health?x=The ASGI server routes the request to /protected. However, Starlette reconstructs the URL as http://example.com/health?x=/protected, making request.url.path return /health. Any middleware checking that value sees an unauthenticated path and passes the request through — no credentials needed, no prior access required.
Moreover, the pattern to fix it is straightforward. Any middleware using request.url.path for security decisions is vulnerable. The safe replacement is request.scope["path"], which reads the raw ASGI routing value directly:
# Vulnerable — manipulates the reconstructed URL
if request.url.path.startswith("/api/"):
require_auth(request)
# Safe — reads the un-reconstructed ASGI scope value
if request.scope["path"].startswith("/api/"):
require_auth(request)The community diagnosis on Hacker News was succinct: “two parsers disagreeing and being too permissive in accepting input.” Each component behaves reasonably in isolation. The interaction is where the vulnerability lives.
The Starlette CVE Blast Radius Hits the AI Agent Stack Directly
Starlette pulls 325 million downloads per week. That number matters because FastAPI — which runs vLLM, LiteLLM, most OpenAI-shim proxies, text generation inference servers, and a large share of MCP gateway implementations — uses Starlette as its ASGI foundation. Your application does not need to import Starlette directly. If it imports FastAPI, you inherit the bug through the dependency chain.
The projects most at risk are the ones handling authentication in path-based middleware:
- vLLM — where the bug was originally discovered, protecting inference endpoints with path-based middleware
- LiteLLM — multi-backend LLM proxy using path-based API key enforcement
- MCP servers — particularly exposed because the MCP specification mandates unauthenticated OAuth discovery endpoints, handing attackers a reliable, well-known path to inject into the Host header
- Agent harnesses, eval dashboards, model management UIs — FastAPI-based tools often deployed with minimal security hardening
If you have stood up any of these for internal use and skipped the reverse proxy layer, your authentication may be trivially bypassable right now. This isn’t a theoretical edge case — it’s a straightforward HTTP manipulation that any attacker can execute without specialized tools.
Why the “Medium” Severity Rating Is Wrong
The official CVSS rating for CVE-2026-48710 is “medium.” The security community’s reaction on Hacker News was blunt: the rating is too low and sets a dangerous expectation given the blast radius. One researcher called it irresponsible framing before a holiday weekend.
The rating is technically defensible because real-world exploitability is substantially reduced if you are running a reverse proxy. nginx, Apache, and Cloudflare all reject malformed Host headers by default, so those requests never reach Starlette. The problem is the embedded assumption: AI backend deployments routinely skip this. LLM servers get stood up quickly for team access, internal tools get deployed without full production hardening, and a “medium” CVE does not create the urgency a critical-rated one does. Furthermore, the MCP servers specifically cannot rely on reverse proxy protection in all deployment patterns.
The severity that matters is the severity given your actual deployment. If your Starlette application is internet-facing without a validating proxy in front, treat this as critical. For an example of how fast these vulnerabilities spread across AI infrastructure, compare it with the Ghost CMS SQL injection that hit 700+ sites before most operators noticed.
Fix It Now: Three Steps
1. Update Starlette to 1.0.1 or later. The patch validates the Host header against RFC 9112 §3.2 and RFC 3986 §3.2.2 before constructing request.url, and falls back to scope["server"] for malformed values. Starlette is now at 1.1.0 on PyPI. Run pip install --upgrade starlette and verify your FastAPI version pulls the updated dependency.
2. Audit your middleware. Even after patching, replace request.url.path with request.scope["path"] in every security-relevant check. Grep your codebase for request.url.path — any occurrence in a conditional that governs authentication or authorization is a candidate for review. This is the durable fix that protects against this class of bug regardless of upstream library behavior.
3. Scan your deployments. The BadHost scanner is free and tests whether your application is vulnerable. Run it against every Starlette-based service your team operates, including internal tools, staging environments, and anything running an MCP gateway.
The broader lesson applies beyond this specific CVE: LLM infrastructure is being secured on the same delayed timeline as traditional software while being deployed at AI speed. Path-based middleware auth is a common shortcut — BadHost is a precise demonstration of what happens when shortcuts in the auth layer meet an adversary who reads changelogs.
