BadHost – CVE-2026-48710: Starlette Host-Header Auth Bypass

https://badhost.org/
https://arstechnica.com/information-technology/2026/05/milli...

Comments

nickcwMay 27, 2026, 7:37 AM
If you read the advisory and are wondering what starlette is, from it's web page: starlette is a lightweight ASGI framework/toolkit, which is ideal for building async web services in Python.

It's used a lot in the data heavy AI world for it's efficiency shipping large files. This includes lots and lots of production servers.

From the advisory: this includes LLM inference servers like vLLM, LLM proxy servers like LiteLLM, AI agent frameworks, MCP gateways, and custom APIs. MCP servers are especially at risk because the MCP spec mandates unauthenticated OAuth discovery endpoints, providing a reliable path for exploitation.

s2lMay 27, 2026, 7:36 AM
From the link, on how the attack works:

An attacker can send a crafted request like GET /protected with a Host: example.com/health?x= header. The request will reach the /proteced path, but request.url would be https://example.com/health?x=/protected, and request.url.path would return /health instead of the real request path.

ostif-derekMay 26, 2026, 9:57 AM
This is a bad one. Rating it a medium understates how hard it hits thousands of downstream projects and billions of installs. People need to patch asap. I'm normally against the "giving a bug a name, logo, and website" trope, but this one is getting poor patch rates because of it being rated a medium and landing right before a big American holiday weekend.
acdhaMay 27, 2026, 1:43 AM
I agree it’s fairly bad on its own but it’s substantially mitigated if you aren’t exposing Starlette/FastAPI directly to the internet – if you use a CDN, load-balancer / API Gateway, or a fronting web server it’s likely that your service is protected since the attacks depend on characters which are not valid in DNS (and in the first couple of cases, likely need to match to route traffic to the right customer).

As an example, I just confirmed that both Cloudflare and AWS ALBs reject all of the attack patterns. Still not good, lateral movement is a time-honored tactic, etc. but it buys time to patch.

ylkMay 26, 2026, 9:15 AM
The URL was meant to be https://badhost.org, the site accidentally still has the old canonical meta tag.
phoronixrlyMay 27, 2026, 7:16 AM
[flagged]