BadHost (CVE-2026-48710) in Starlette Lets Attackers Bypass Authorization and Steal AI Server Credentials

Researchers have disclosed a critical host‑header vulnerability in the Starlette ASGI framework — CVE‑2026‑48710, nicknamed BadHost — that can allow attackers to bypass path‑based authorization on servers running AI agents and related tooling, enabling theft of sensitive data and third‑party credentials. The issue was reported by X41 D‑Sec and publicized by Secwest; researchers describe the exploit as trivial to execute. Operators of FastAPI and other Starlette‑based deployments are at immediate risk and should prioritize remediation.

Starlette is the ASGI implementation underlying FastAPI and many Python services, with maintainers reporting roughly 325 million downloads per week. The bug surfaced during work on vLLM and affects a broad set of projects that depend on Starlette, including vLLM, LiteLLM, Text Generation Inference, OpenAI‑shim proxies, MCP servers, agent harnesses, evaluation dashboards, and model‑management UIs. Maintainors released Starlette 1.0.1 on Friday to patch the flaw.

Technically, the flaw stems from a host‑header injection: a single character inserted into the HTTP Host header can make Starlette accept a reconstructed request URL that differs from its routing logic, allowing attackers to prepend paths inside the host portion. That discrepancy can defeat path‑based authorization checks and has been observed to enable authentication bypasses, server‑side request forgery (SSRF), and in some downstream applications, remote code execution.

The vulnerability is especially consequential for AI deployments because ASGI servers frequently expose MCP (model context protocol) endpoints that grant agents access to external resources — databases, mail, calendars and storage — and therefore hold credentials for numerous third‑party services. Because thousands of open‑source projects transitively depend on Starlette, the flaw expands the attack surface across developer stacks and AI tooling.

A scan led by X41 D‑Sec researcher Markus Vervier and collaborators catalogued types of exposed data on vulnerable systems: biopharma clinical‑trial and M&A data; identity‑verification PII and live face analysis; IoT and industrial SSH assets with potential RCE; full email/SaaS mailbox access and S3 exports; HR candidate records and CMS subscriber lists; document stores and cloud monitoring topologies and traces; cybersecurity asset inventories; and personal health and finance logs. Secwest warned that the published CVSS score of 7.0 understates how easily the flaw can be abused in practice.

Mitigations include upgrading immediately to Starlette 1.0.1, placing affected services behind properly configured firewalls, and scanning public endpoints for signs of compromise. X41 D‑Sec and partner Nemesis have published an online scanner to detect vulnerable hosts. Operators should audit any MCP or credential‑holding endpoints for unauthorized access and take remediation steps if compromise is suspected.