Starlette 'BadHost' Host-Header Auth Bypass Affects vLLM, FastAPI-Based AI Tools (CVE-2026-48710)

CVE-2026-48710, dubbed 'BadHost,' is a host-header validation flaw in Starlette (the ASGI framework underlying LiteLLM, vLLM, FastAPI, and many AI web services). By injecting malformed Host header values, an attacker can cause Starlette's path-based auth middleware to compute the effective path as a public root route while routing to an admin endpoint, bypassing authentication. Horizon3.ai demonstrated the full unauthenticated RCE chain against LiteLLM (combined with CVE-2026-42271). CSO Online reported the flaw's reach into FastAPI-based AI tools including vLLM.

vLLM is the dominant open-source LLM inference server used in enterprise and cloud AI deployments. A path-based auth bypass that works against any Starlette application means that AI inference endpoints, model management APIs, and admin interfaces across a wide range of deployments may be accessible without authentication. Combined with command injection or deserialization flaws, this yields unauthenticated RCE on model serving infrastructure.

Attacker appends special characters (? or #) to the HTTP Host header. Starlette's path computation treats the request as targeting '/' (a public route) while the router still dispatches to the actual requested endpoint. Path-based auth middleware checks the computed (public) path and grants access. Combined with CVE-2026-42271 in LiteLLM, yields unauthenticated RCE. Independently allows unauthenticated access to any restricted endpoint in affected ASGI apps.

Starlette 0.8.3 – 1.0.0; affects LiteLLM, vLLM, FastAPI-based AI inference servers, and any ASGI app using path-based auth middleware

Upgrade Starlette to ≥1.0.1. Audit all FastAPI/Starlette-based AI services for path-based auth patterns and consider switching to decorator-based per-route auth.