CVE-2026-48710 'BadHost': Unauthenticated Auth Bypass in Starlette Exposes vLLM, LiteLLM, FastAPI, and MCP Server Infrastructure

Starlette (the ASGI framework underlying FastAPI, and transitively vLLM, LiteLLM, Text Generation Inference, MCP servers, and most Python-based AI agent frameworks) reconstructs the request URL by concatenating the HTTP Host header with the request path without validating the Host value against RFC 9112 character constraints. By injecting a URI-special character (?, /, or #) into the Host header, an attacker causes request.url.path to diverge from the actual ASGI route path, allowing path-based security middleware to be bypassed entirely with no credentials required. A single curl command with 'Host: foo?' is sufficient to return 200 OK on a route that correctly returns 403 under normal conditions. The official CVSS score is 6.5 (Moderate), but security researchers from X41 D-Sec and OSTIF have publicly argued this understates real-world severity given Starlette's penetration across the AI infrastructure stack.

Remote, unauthenticated. Attacker sends an HTTP request with a malformed Host header (e.g., 'Host: legitimate-host.com?') to any Starlette-backed endpoint. The ASGI server routes the request normally; Starlette's middleware evaluates a poisoned, re-parsed URL path and fails to match protected route patterns, allowing the request through to the handler. Raw TCP socket or a tool that permits custom Host headers required (standard HTTP clients normalize the header).

Starlette versions 0.8.3 through 1.0.0 (all versions before the patch). Downstream: FastAPI (all versions using Starlette middleware for path-based auth), vLLM inference servers, LiteLLM proxy gateways, Text Generation Inference, OpenAI-compatible ASGI shims, MCP server implementations built on FastAPI/Starlette, and AI agent harnesses, dashboards, and model registries using path-based access controls. Deployments behind Cloudflare or AWS ALB receive partial mitigation as those proxies reject malformed Host headers by default.

1. Upgrade to Starlette 1.0.1 or later across all direct and transitive dependencies — rebuild all containers and vendored installations after upgrading, as in-place package updates leave older vendored copies active. 2. Replace any use of request.url or request.url.path in security middleware with request.scope['path'], which returns the raw ASGI wire path unaffected by Host header content. 3. Deploy an HTTP/1.1-compliant reverse proxy (Nginx, Apache httpd, Cloudflare) in front of any ASGI service exposed directly. X41 D-Sec has published free Semgrep rules, CodeQL queries, and a remote scanner at badhost.org to detect vulnerable installations.