CVE-2026-48710 (BadHost): Critical Starlette Host-Header Auth Bypass Vulnerability Affects FastAPI and Python ASGI Applications
By
ylk
5d ago· 1 min readenNews
46/100
Doughy
Bagelometer↗
Good intentions, undercooked execution. The bake is missing.
Score46TypenewsSentimentnegative
Summary
A critical security vulnerability (CVE-2026-48710, dubbed "BadHost") has been discovered in Starlette web framework versions prior to 1.0.1, affecting FastAPI applications as well. The vulnerability allows authentication bypass via Host header injection, impacting Python ASGI applications including MCP servers, LLM proxies, and AI agent frameworks. Applications using request.url or starlette.datastructures.URL in middleware for security decisions (allowlists, denylists, CSRF exemptions, rate limiting, payment gates) are vulnerable when running on any ASGI server.
Key quotes
· 2 pulledAny Python application built on Starlette or FastAPI that uses starlette < 1.0.1 and uses request.url (or starlette.datastructures.URL(scope=...)) in a middleware to make security decisions based on its path (e.g. allowlists, denylists, CSRF exemptions, rate limiting, payment gates) is vulnerable.
Scan your Starlette or FastAPI server for CVE-2026-48710 (BadHost): a critical auth bypass via Host header injection affecting MCP servers, LLM proxies, AI agent frameworks, and thousands of Python ASGI applications.
Scan your Starlette or FastAPI server for CVE-2026-48710 (BadHost): a critical auth bypass via Host header injection affecting MCP servers, LLM proxies, AI agent frameworks, and thousands of Python ASGI applications.
