Overview
- Researchers disclosed CVE-2026-48710, nicknamed BadHost, after finding that injecting a single character into the HTTP Host header breaks Starlette’s URL reconstruction and lets unauthenticated requests reach protected endpoints.
- The flaw affects all Starlette releases before version 1.0.1 and was patched in Starlette 1.0.1, which was published the Friday before this coverage.
- BadHost propagates through transitive dependencies to widely used projects such as FastAPI, vLLM, LiteLLM, MCP servers, OpenAI-shim proxies, agent harnesses, and model-management UIs, greatly expanding the attack surface.
- Security firms differ on scoring but agree the exploit is trivial to perform and high-impact, and X41 D-Sec together with Nemesis published an online scanner (badhost.org) to detect vulnerable servers.
- Operators should immediately update to Starlette 1.0.1, audit dependency trees for indirect uses of Starlette, and restrict network exposure and credentials stored by MCP or model-management services to limit damage to users and downstream systems.