Starlette 'BadHost' bug exposes the Python AI stack to a one-character auth bypass
X41 D-Sec's OSTIF-sponsored audit of vLLM surfaced a Host-header flaw that cascades through FastAPI, LiteLLM and the MCP server fleet.
A single character in an HTTP Host header is enough to walk past authentication middleware in most of the Python AI inference stack. That’s the upshot of CVE-2026-48710, dubbed “BadHost,” disclosed Friday by OSTIF and patched in Starlette 1.0.1.
X41 D-Sec found the bug while running an OSTIF-coordinated source-code audit of vLLM, then traced it back upstream to Starlette itself, the ASGI framework underneath FastAPI and roughly 325 million weekly downloads of Python web tooling. Starlette reconstructs request.url by concatenating the incoming Host header with the request path and re-parsing the result, without validating the Host value against RFC 9112 or RFC 3986. Slip in a /, ?, or # and the boundaries between host, path, query, and fragment shift one slot to the left. Middleware inspecting request.url.path sees a benign route. The router still dispatches the real one.
The downstream blast radius is the entire LLM-serving ecosystem. X41’s own enumeration: “vLLM, LiteLLM, Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, evaluation dashboards, and model management UIs.” Anything served by uvicorn, hypercorn, daphne, or granian without a compliant reverse proxy in front is in scope.
NVD rated the CVE 7 out of 10. X41 and Secwest say that “materially understates” the threat, and the field telemetry backs them up. Markus Vervier, a researcher at X41, scanned the public internet and turned up exposed clinical-trial databases and M&A data at biopharma AI shops, live PII at identity and KYC vendors, SSH bastions on industrial IoT deployments, and read/send/delete mailbox access plus S3 exfiltration paths at SaaS integrators.
X41 has published Semgrep rules and CodeQL queries, and a free remote scanner is live at badhost.org via Persistent Security Industries and Bintech. Starlette’s maintainer shipped the patch without public comment.
A framework that quietly underpins the AI agent boom turned out to be enforcing authorization against a string it had assembled from attacker input. The vibes-coded layer of the stack just billed its first real invoice.
Sources
- https://arstechnica.com/information-technology/2026/05/millions-of-ai-agents-imperiled-by-critical-vulnerability-in-open-source-package/
- https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette/
- https://www.csoonline.com/article/4177711/fastapi-based-ai-tools-exposed-to-authentication-bypass-by-flaw-in-starlette-framework.html
- https://www.scworld.com/brief/high-severity-starlette-vulnerability-badhost-could-expose-sensitive-data
- https://www.techradar.com/pro/security/worrying-open-source-security-issue-badhost-could-affect-millions-of-ai-agents-experts-warn