CloudCodeTree LogoCloudCodeTree
HomeResumeAI NewsContactSchedule
CloudCodeTree Logo
CloudCodeTree
← Back to AI NewsBadHost (CVE-2026-48710): one malformed Host header bypasses auth on 325M-download Starlette — and every MCP server built on it

BadHost (CVE-2026-48710): one malformed Host header bypasses auth on 325M-download Starlette — and every MCP server built on it

Chris Harper

2 min read

Jun 11, 2026 · 16:00 UTC

AI
Security
Developer Tools

A single slash character in an HTTP Host header is enough to bypass authentication on any path-based middleware written against Starlette. That's CVE-2026-48710, dubbed BadHost — disclosed May 27, 2026, after coordinated disclosure with the Open Source Technology Improvement Fund (OSTIF) and a fix shipped in Starlette 1.0.1 the day before disclosure hit.

How it works. Starlette reconstructs request.url by concatenating the raw Host header with the request path, without sanitizing /, ?, or # characters. Send GET /admin with Host: example.com/health?x=, and request.url.path reports /health while the ASGI router still routed to /admin. Any middleware that gates access by checking request.url.path is bypassed. Access controls built on request.url are effectively path-blind.

The blast radius is large. Starlette pulls roughly 325 million downloads per week and underpins 400,000+ dependent GitHub projects. Every tool that inherits it is affected without any code of its own doing wrong: FastAPI, vLLM, LiteLLM, MCP servers, OpenAI-compatible API proxies, Ray Serve, BentoML, Google ADK-Python, and a long tail of agent harnesses and model-serving dashboards. MCP servers are especially exposed because the MCP specification mandates an unauthenticated OAuth discovery endpoint — giving an attacker a predictable bypass path. The CVSS scores split (6.5 official, 7.0 by X41 D-Sec who found it) but the practical impact is "unauthenticated read/write on any protected API endpoint."

The fix is mechanical but requires an audit. Update Starlette to 1.0.1+ and replace any request.url.path references in your security middleware with request.scope["path"], which reads the raw ASGI routing value the server actually matched against — never the reconstructed URL. Validated Host headers are rejected outright by 1.0.1+ per RFC 9112 §3.2. Also use FastAPI's Depends() or Starlette's requires() decorator rather than raw middleware path checks; they operate on scope values throughout.

Action items: pip install starlette --upgrade (or via FastAPI), audit any custom auth middleware for request.url.path, scan with the detection tool at badhost.org, and check your MCP server framework for an available release.

Sources: CSO Online: FastAPI-based AI tools exposed, X41 D-Sec advisory (X41-2026-002), badhost.org, CCB Belgium advisory