Warning: Vulnerability in Starlette framework and related frameworks like FastAPI exposes millions of servers to authentication bypass, Patch Immediately!

• Last update: 28/05/2026
• Affected software: Starlette framework, including projects and frameworks relying on Starlette
• Type: Authentication bypass
• CVE/CVSS
  → CVE-2026-48710: CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Sources

BadHost - https://badhost.org/
Starlette advisory - https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr

Risks

BadHost, otherwise known as CVE-2026-48710, is a vulnerability affecting Starlette, a very popular open source framework that underpins millions of AI agents and tools.

This framework is an implementation of ASGI (asynchronous server gateway interface). Starlette is the base of FastAPI and other widely used frameworks such as vLLM and LiteLLM for building services in Python apps. There are also thousands of open-source projects that require Starlette to work.

ASGI has access to MCP servers, which allows AI agents from major providers to access external sources. MCP servers store credentials for each external system, effectively making them valuable for threat actors to breach.

Given the importance of Starlette and the triviality of exploitation, it is likely that threat actors will attempt to exploit it in order to access sensitive data and steal credentials, including credentials to third-party accounts which could be exploited in supply chain attacks.

Description

CVE-2026-48710, also known as BadHost, is a vulnerability affecting Starlette versions prior to 1.0.1.

A lack of input sanitization on host header paths in Starlette leads to bypassing authentication with a single character across a large swath of Python LLM infrastructure including very large and prominent projects such as FastAPI, LiteLLM, vLLM, text generation inference projects, most OpenAI shim proxies, MCP servers, Agent harnesses, eval dashboards, and model-management UIs.

In affected versions, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header could make request.url.path differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on request.url (rather than the raw scope path) could therefore be bypassed.

A successful attacker could exploit BadHost to gain access to sensitive data and exfiltrate credentials used by third-party accounts.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

The security researchers who found the vulnerability developed a scanner to discover vulnerable systems: https://badhost.org/

It is recommended to:

• Avoid path-based authentication middleware. Instead, authentication should be tied to the endpoint itself rather than the path used to reach it.
• Deploy a reverse proxy in front of your ASGI server to validate and normalise the Host header before forwarding, effectively neutralising the attack path.
• Use scope["path"] instead of request.url.path if you must use middleware.
• Alternatively, rebuild or redeploy every container, virtual environment, and bundled artifact that pins or vendors Starlette. Please note that pip list on the host is not enough.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

OSTIF - https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette/
X41 D-Sec - https://x41-dsec.de/lab/advisories/x41-2026-002-starlette/
Ars Technica - https://arstechnica.com/information-technology/2026/05/millions-of-ai-agents-imperiled-by-critical-vulnerability-in-open-source-package/