BadHost (CVE-2026-48710) is an authentication‑bypass in Starlette that lets malformed Host headers change parsed URL boundaries, enabling access to blocked paths and enabling downstream SSRF and remote code execution;
Security researchers at Secwest and X41 D — Sec disclosed BadHost (CVE-2026-48710), an authentication‑bypass vulnerability in the Python ASGI framework Starlette that lets attackers use malformed HTTP Host headers to bypass path‑based access controls. The flaw can allow requests to reach routes that should be blocked, posing particular risk to services that make authorization decisions from the request URL.
The root cause is how Starlette constructs request.url: it concatenates the raw Host header with the request path and then re‑parses the combined string without validating the Host value against RFC 9112 and RFC 3986. A Host header containing characters such as '/', '?', or '#' shifts the path, query, and fragment boundaries when re‑parsed, changing the path Starlette reports. The researchers reproduced the effect with simple curl checks: curl -i -H 'Host: foo' http://target/admin # 403, blocked; curl -i -H 'Host: foo?' http://target/admin # 200, served.
The issue arises from interactions across layers in the Python ASGI ecosystem: ASGI servers pass the raw Host header, Starlette uses it to build request URLs, and middleware or applications trust request.url.path for authorization. Starlette is widely used (roughly 325 million weekly downloads), and X41’s analysis showed a chain from this single‑character primitive to authentication bypass. The bug was discovered during a source‑code audit of vLLM, demonstrating a practical exploitation path to LLM‑serving primitives rather than a theoretical concern.
Downstream consequences go beyond simple route bypass: the researchers demonstrated exploitation chains that yielded authentication bypass, server‑side request forgery (SSRF), and even remote code execution in downstream components that make security decisions based on request.url. They highlighted AI agents, evaluators, and LLM gateways as especially at risk because many of these services run on internal or research networks without reverse‑proxy protections common in production, increasing exposure to BadHost vectors. The researchers also warned that certain standards and service patterns — for example MCP servers that require unauthenticated OAuth discovery endpoints — can provide reliable attack paths if left unprotected.
Starlette released a patch in version 1.0.1 and a free online scanner was published to help teams find vulnerable deployments. Community reaction was mixed: some security voices argue the official severity score (6.5) understates the impact given the broad downstream surface, while others note practical mitigations. Commenters on Hacker News observed that services not directly exposed to the internet and those behind CDNs, load balancers, or fronting web servers are less susceptible because the exploit relies on characters not valid in DNS and often filtered at network edges.
Researchers urge rapid patching and auditing of middleware and downstream consumers that rely on request.url.path for authorization.
Sources
Replies (0)
No replies in this topic yet.
