Fastapi

vulnerabilities 2026-05-28
BadHost (CVE-2026-48710): A Forged Host Header Walks Past Auth in Every Starlette App
BadHost (CVE-2026-48710) is a Host-header authentication bypass in Starlette before 1.0.1. One malformed header makes request.url.path lie to your middleware — unlocking protected routes on FastAPI, vLLM, LiteLLM, and MCP servers without credentials.
starlette fastapi CVE-2026-48710 authentication-bypass mcp ai-infrastructure vllm litellm

BadHost (CVE-2026-48710): A Forged Host Header Walks Past Auth in Every Starlette App