BadHost - CVE-2026-48710 Starlette Host-Header Auth Bypass
BadHost CVE-2026-48710
Also known as:<br>X41-2026-002<br>GHSA-86qp-5c8j-p5mr<br>PYSEC-2026-161
Discovered by X41 D-Sec during an OSTIF-sponsored audit
Scanner & automation by Nemesis
Critical severity.<br>Starlette request.url from the<br>Host header without sanitization, letting attackers<br>forge a request.url.path that bypasses path-based<br>auth middleware.<br>Thousands of FastAPI and Starlette applications are affected,<br>including vLLM, LiteLLM, MCP servers, and AI agent frameworks.
Full AI Infrastructure Scan
MCP Server
Custom
Automatically discovers MCP endpoints and common inference<br>API paths (vLLM, LiteLLM, OpenAI-compatible). Best for scanning AI<br>infrastructure where the exact stack is unknown.
Scan
powered by Nemesis security automation
Scans MCP servers only.<br>Probes standard MCP endpoints (/mcp, /sse,<br>/messages and variants) for auth-protected JSON-RPC, then<br>attempts Host-header bypass.
Scan
Advanced
Any Starlette or FastAPI application with path-based auth middleware is<br>affected. Select a preset or specify your own paths.
vLLM<br>/v1/models
LiteLLM<br>/model/info
LiteLLM Admin<br>/key/info
Custom<br>your own paths
Scan
How to fix
Update Starlette to version 1.0.1 or later, which<br>ignores Host headers containing invalid characters instead<br>of using them for URL construction.
Avoid path-based auth middleware. Middleware that<br>decides authentication based on request.url.path is inherently<br>fragile — auth should be tied to the endpoint itself, not the path<br>used to reach it. Prefer Starlette's<br>requires() decorator<br>or FastAPI's, Depends() and Security()<br>which are enforced on actual endpoints instead of a path-based middleware.
Deploy a reverse proxy (nginx, Caddy, Traefik, HAProxy) in<br>front of your ASGI server. RFC-compliant reverse proxies validate and normalize<br>the Host header before forwarding, which neutralizes this attack.<br>ASGI servers pass the raw header through to the framework — a reverse proxy<br>prevents that.
Use scope["path"] instead of<br>request.url.path if you must use middleware. The ASGI scope<br>path comes from the HTTP request line and cannot be manipulated via the<br>Host header.
What is BadHost / CVE-2026-48710?
Starlette request.url by concatenating the HTTP<br>Host header with the request path. An attacker can send a crafted<br>request like GET /protected with a Host: example.com/health?x=<br>header. The request will reach the /proteced path, but request.url<br>would be https://example.com/health?x=/protected, and request.url.path<br>would return /health instead of the real request path.<br>Any middleware that uses this value to decide whether to enforce authentication can be bypassed.
More details can be found in the X41-2026-002<br>advisory.
Which projects are affected?
Any Python application built on Starlette or FastAPI that uses<br>starlette<br>and uses request.url (or starlette.datastructures.URL(scope=...))<br>in a middleware to make security decisions based on its path<br>(e.g. allowlists, denylists, CSRF exemptions, rate limiting, payment gates),<br>and runs on any ASGI server (Daphne, Granian, Gunicorn, Hypercorn, Anycorn, Uvicorn).<br>Use the scanner above, grep your codebase for request.url.path<br>in middleware files, or try the tools from the<br>X41<br>open-source repository.
This includes LLM inference<br>servers like vLLM, LLM proxy servers like LiteLLM, AI agent frameworks,<br>MCP gateways, and custom APIs. MCP servers are especially at risk because<br>the MCP spec mandates unauthenticated OAuth discovery endpoints, providing<br>a reliable path for exploitation
What about AI infrastructure (LLM proxies, agent frameworks)?
This vulnerability is not specific to LLMs, but many LLM inference servers<br>(vLLM), LLM proxy servers (LiteLLM), AI agent frameworks, and MCP gateway<br>implementations are built on FastAPI/Starlette<br>and use path-based auth to protect API endpoints. A bypass can expose model<br>access, API keys, and internal tooling. Google ADK-Python, Ray Serve, and<br>BentoML also use Starlette middleware and are potentially affected when<br>custom auth middleware is added. Any custom MCP server, FastMCP integration,<br>or AI agent backend using Starlette routing with auth middleware should be<br>tested. Note: FastAPI's built-in Depends() security uses route<br>matching, not request.url.path, so standard dependency-injection<br>auth is safe — the risk is in custom BaseHTTPMiddleware<br>or raw ASGI middleware.
Does a reverse proxy protect me?
Yes. RFC-compliant reverse proxies (nginx, Caddy, Traefik, HAProxy) validate<br>and reject invalid Host headers, which neutralizes<br>the injection. However, many deployments — especially dev, staging, and<br>self-hosted instances — expose ASGI servers directly without a proxy.
How does the scanner work?
The scanner first confirms a protected endpoint denies<br>access without credentials. Tier 1 then tests whether the middleware uses a<br>denylist (fail-open) pattern by injecting a random path into the Host<br>header — this catches misconfigured middleware in just a few...