CVE-2026-48710 Starlette Host-Header Auth Bypass

Lobsters Hottest 05/27/26, 07:32 AM News

security-vulnerability cve starlette fastapi auth-bypass host-header asgi

Summary

A critical host-header authentication bypass vulnerability (CVE-2026-48710) in Starlette and FastAPI affects many Python ASGI applications, including AI inference servers (e.g., vLLM), AI proxy servers (e.g., LiteLLM), and MCP gateways, potentially allowing unauthorized access.

<p><a href="https://lobste.rs/s/cmsgwo/cve_2026_48710_starlette_host_header_auth">Comments</a></p>

Original Article

View Cached Full Text

Cached at: 05/27/26, 09:30 AM

# BadHost - CVE-2026-48710 Starlette Host-Header Auth Bypass Source: [https://badhost.org/](https://badhost.org/) Any Python application built on Starlette or FastAPI that uses`starlette < 1\.0\.1`and uses`request\.url`\(or`starlette\.datastructures\.URL\(scope=\.\.\.\)`\) in a middleware to make security decisions based on its`path`\(e\.g\. allowlists, denylists, CSRF exemptions, rate limiting, payment gates\), and runs on any ASGI server \(Daphne, Granian, Gunicorn, Hypercorn, Anycorn, Uvicorn\)\. Use the scanner above, grep your codebase for`request\.url\.path`in middleware files, or try the tools from the[X41 open\-source repository](https://github.com/x41sec/poc/tree/master/starlette-host-header)\. This includes LLM inference servers like vLLM, LLM proxy servers like LiteLLM, AI agent frameworks, MCP gateways, and custom APIs\. MCP servers are especially at risk because the MCP spec mandates unauthenticated OAuth discovery endpoints, providing a reliable path for exploitation

Similar Articles

Millions of AI agents imperiled by critical vulnerability in open source package

Ars Technica

A critical vulnerability (CVE-2026-48710, named BadHost) in the open-source ASGI framework Starlette exposes millions of AI agents and servers to potential data theft and credential compromise, affecting frameworks like FastAPI, vLLM, and LiteLLM. Patched in Starlette 1.0.1, the flaw is trivial to exploit and underscores risks in the AI tooling ecosystem.

CVE-2026-48710: A Maintainer's Perspective

Lobsters Hottest

Marcelo Trylesinski shares his perspective on CVE-2026-48710, a security vulnerability in Starlette involving path-based authorization bypass via manipulated Host headers. He argues the vulnerability stems from application patterns and deployment, not the framework itself.

Anthropic Claude Code Leak Reveals Critical Command Injection Vulnerabilities

Lobsters Hottest

Critical command injection vulnerabilities (CVE-2026-35022, CVSS 9.8) discovered in Anthropic's Claude Code CLI and SDK allow attackers to execute arbitrary commands and steal credentials through environment variables, file paths, and authentication helpers. The flaws enable poisoned pipeline execution attacks in CI/CD environments, requiring immediate patching and configuration changes.

@Star_Knight12: Next.js just got its worst vulnerability ever, CVSS 8.6. → affects versions 13.4.13+, 14.x, 15.x, and 16.0.0–16.2.4 → a…

X AI KOLs Following

Next.js has a critical vulnerability (CVSS 8.6) affecting versions 13.4.13+, 14.x, 15.x, and 16.0.0–16.2.4, allowing unauthenticated attackers to access internal services, cloud credentials, and API keys. Upgrade to 15.5.16 or 16.2.5 immediately.

Two Claude Code sandbox bypasses in five months, both fixed silently. What does the shared responsibility model look like for AI agents?

Reddit r/AI_Agents

Researcher Aonan Guan disclosed a second Claude Code network sandbox bypass via HackerOne, exploiting a SOCKS5 hostname null-byte injection. The vulnerability affected versions 2.0.24 through 2.1.89 and was fixed silently twice, raising questions about the shared responsibility model for AI agents.