One bad Host header bypassed auth in Starlette, the routing core under millions of AI agents

Starlette just patched a bug that broke authentication across much of the Python AI stack. The framework sits under FastAPI, vLLM, LiteLLM, and most Model Context Protocol servers, and a single character in an HTTP Host header was enough to slip past path-based access checks.

Tracked as CVE-2026-48710 and nicknamed BadHost, the flaw matters because of where Starlette lives. It pulls roughly 325 million downloads a week and has more than 400,000 dependents on GitHub. So this isn’t one vulnerable app. It’s a primitive baked into the routing core that a huge slice of today’s agent servers, model proxies, and eval dashboards inherit for free, usually without the maintainers writing a line of the vulnerable code themselves.

What we know

Here’s the confirmed picture as of the May 21 patch, drawn from the advisory and the X41 D-Sec disclosure. The short version: a framework most teams never chose directly, but inherited through FastAPI or an MCP server, shipped a flaw that turns a single malformed header into an auth-check bypass, and the exposure tracks how widely that framework has spread rather than any one project’s own code quality.

• The bug is a Host-header path-poisoning issue. Starlette reconstructs request.url by gluing the Host header onto the path and re-parsing the result, without validating the header against the RFC grammar first. A Host value containing /, ?, or # shifts the path boundary, so request.url.path no longer matches the path the server actually routed.
• That mismatch is the whole exploit. Middleware that makes a security decision on request.url.path, a common pattern for “block /admin, allow /health”, sees the poisoned path and waves the request through, while the real route still executes underneath.
• It was found by X41 D-Sec researchers, including Markus Vervier, during an OSTIF-sponsored source-code audit of vLLM, then disclosed through OSTIF. It was independently reported in parallel by contributors nic-lovin and others credited in the advisory.
• The fix is Starlette 1.0.1, released May 21, 2026. That version checks the Host header before using it to build the URL. Everything from 0.8.3 up to 1.0.0 is affected.
• Downstream, the advisory and reporting name FastAPI, vLLM (where the audit started), LiteLLM, Text Generation Inference, OpenAI-shim proxies, MCP servers, and agent harnesses as exposed.

How bad is critical here

The official scoring is where this gets argued. The GitHub advisory lists a CVSS v3.1 base of 6.5 (Medium), while the CVSS v4.0 vector lands at 7.0 (High). X41 D-Sec put it plainly: “simply inserting a single character into the HTTP Host header allows you to bypass path-based authentication in Starlette, FastAPI’s routing core.” Their writeup argues the 7.0 number “significantly underestimates the threat” to the wider set of apps that depend on Starlette indirectly.

Why the gap? Because the severity depends entirely on what each downstream app does with request.url.path. On its own, Starlette won’t hand you remote code execution. But an MCP server that gates a sensitive tool behind a path check, or an agent dashboard that fronts credentials with one, becomes wide open. The reported prizes range from SSH keys and email or SaaS access to cloud-infrastructure details sitting behind those gates. This is an auth-bypass primitive, and primitives are dangerous in proportion to what’s stacked on top of them. We’ve watched a near-identical “one package, enormous blast radius” pattern play out before, in the TanStack npm supply-chain incident.

What we don’t know

Three things stay open even with the 1.0.1 fix shipped.

• How many of those 400k dependents actually do path-based auth in middleware. Apps that authorize off the ASGI scope path, not request.url.path, were never exposed. There’s no public count of the vulnerable subset.
• Whether BadHost was exploited in the wild before the patch. No confirmed in-the-wild abuse has been reported as of publication.
• How fast the long tail upgrades. Frameworks patch quickly; the thousands of small agent servers pinned to old Starlette are the slow part, the same drag that keeps Log4Shell alive years later.

What this means for you

If you run anything that imports Starlette, directly or through FastAPI, vLLM, LiteLLM, or an MCP server, upgrade to 1.0.1 today. That’s the one move that closes the door, and it’s a point release, so the risk of breakage is low. Then audit your auth: if any middleware decides access by reading request.url.path, treat it as bypassable until you’ve confirmed it’s running on the fixed version, and prefer authorizing off the raw ASGI scope path where you can. Don’t assume you’re safe because you never touched Starlette directly, that’s exactly how transitive dependencies catch teams out. The painful lesson from the Claude Code deeplink RCE and the VS Code token-theft zero-day is the same one here: in the agent era, your security boundary is only as solid as the framework quietly parsing your requests.