Researchers have issued a warning about a critical vulnerability, identified as CVE-2026-48710 and dubbed BadHost, found in the open-source Starlette framework. This flaw impacts FastAPI and numerous popular AI tools, posing risks to millions of servers and AI agents. Exploiting this vulnerability boils down to manipulating a single character in the HTTP Host header.
Starlette, which implements the Asynchronous Server Gateway Interface (ASGI), is designed to handle a high volume of concurrent requests. According to the project developers, the package is downloaded approximately 325 million times weekly.
The vulnerability was discovered by specialists at X41 D-Sec, with researchers from Secwest coining the name BadHost. Though it has received a CVSS score of just 7, experts argue that this rating underestimates the seriousness of the issue.
In addition to FastAPI, the vulnerability also affects systems such as vLLM, LiteLLM, MCP servers, OpenAI-compatible proxies, various AI agent runtime environments, model evaluation dashboards, and other tools within the AI ecosystem.
The issue arises from the way Starlette, in versions prior to 1.0.1, constructs the request.url object. The framework takes the value from the HTTP Host header, appends the request path, and fails to validate the Host itself. Consequently, an attacker can input not just a domain but also a path fragment in the Host header.
For instance, if a request is directed to a secure endpoint like /protected, a Host header formatted as Host: example.com/health?x= may cause Starlette to construct the URL such that request.url.path appears as /health while routing still occurs at the actual HTTP path of /protected. If an application or middleware makes authorization decisions based on request.url.path rather than scope["path"], it could mistakenly consider a seemingly safe path and allow the request to proceed. This could enable an attacker to bypass authorization mechanisms reliant on the request path.
Researchers have indicated that this vulnerability could facilitate authentication bypassing, SSRF attacks, and in some scenarios, even lead to remote code execution.
The threat is particularly severe for MCP servers, which provide AI agents access to external systems such as emails, calendars, corporate services, cloud storage, and internal databases. Such servers typically store API keys, tokens, and credentials for third-party services, making them highly attractive targets for attackers.
Markus Vervier, a researcher from X41 D-Sec, reported that during vulnerability scans, a variety of sensitive data and infrastructures were found exposed. This includes:
- Clinical databases and M&A documents from biopharmaceutical companies - Identity verification systems containing PII and codebases - IoT and industrial systems with SSH access - Email services and SaaS platforms - HR systems with candidates' personal data - Cloud monitoring platforms with AWS data - Document management systems - Security infrastructure with access to Nuclei scanners and asset registries
All versions of Starlette prior to 1.0.1 are deemed vulnerable, with the developers having added checks for invalid Host headers in that release.
In response, X41 D-Sec and specialists from Nemesis have launched an online scanner to check servers for susceptibility to the BadHost issue. Researchers are urging an immediate update of Starlette, advising owners of FastAPI, LiteLLM, and vLLM infrastructures to inspect their systems for vulnerable components.
This situation could significantly impact the market, prompting swift updates from developers and potentially creating an opportunity for competitors to enhance security measures in their frameworks.
Informational material. 18+.
