BadHost is a high-severity authentication bypass vulnerability in the widely used Python web framework Starlette, with 325 million weekly downloads. The flaw allows attackers to use malformed HTTP Host headers to bypass path-based access controls and access sensitive AI agent infrastructure, among other systems.
Discovered by security researchers at Secwest and X41 D-Sec, the vulnerability can be trivially exploited by including a /, ?, or # character into the Host header:
curl -i -H 'Host: foo' http://target/admin # 403, blocked
curl -i -H 'Host: foo?' http://target/admin # 200, served
Starlette reconstructs
request.urlby concatenating the HTTP Host header with the request path and re-parsing the result. The Host value is not validated against the RFC 9112 / RFC 3986 grammar before reconstruction. A Host header containing /, ?, or # shifts the path, query, and fragment boundaries during re-parse, sorequest.url.pathno longer matches the path the ASGI server actually received and routed against.
While the vulnerability was assigned a moderate risk score of 6.5, the researchers argue that this "understates the downstream impact" and the vulnerability should be considered critical because it affects all downstream consumers:
X41's analysis found multiple popular open source projects whose middleware gates security-relevant decisions on request.url, with demonstrated chains from this single-character primitive to authentication bypass, SSRF, and remote code execution.
This criticality is reinforced by the fact that the vulnerability was discovered during a source code audit of vLLM, demonstrating that "the path from Starlette quirk to LLM-serving primitive is not theoretical; it is the discovery path". To make things worse, potentially affected AI services are often deployed on internal networks, lab subnets, and LLM research environments that lack the reverse-proxy protection typically present in production systems, leaving them directly exposed to exploitation via BadHost.
At particular risk are MCP servers, as the researchers note that "the MCP spec mandates unauthenticated OAuth discovery endpoints, providing a reliable path for exploitation".
Notably, the vulnerability was missed by Claude Mythos, which instead identified more than 10,000 vulnerabilities in Project Glasswing. In this context, the researchers note:
CVE-2026-48710 is not a bug in one file or one repo. It spans three independent layers — ASGI servers pass the raw Host header, Starlette trusts it for URL construction, and middleware authors assume request.url.path is safe for auth decisions. Each component behaves correctly in isolation. The vulnerability only emerges from the interaction between them.
On Hacker News, ostif-derek warned:
This is a bad one. Rating it a medium understates how hard it hits thousands of downstream projects and billions of installs. People need to patch asap. I'm normally against the "giving a bug a name, logo, and website" trope, but this one is getting poor patch rates because of it being rated a medium.
While acknowledging the risk posed by the vulnerability, user acdha offers a more nuanced perspective in this discussion:
I agree it’s fairly bad on its own but it’s substantially mitigated if you aren’t exposing Starlette/FastAPI directly to the internet – if you use a CDN, load-balancer / API Gateway, or a fronting web server it’s likely that your service is protected since the attacks depend on characters which are not valid in DNS (and in the first couple of cases, likely need to match to route traffic to the right customer).
The vulnerability has been promptly fixed in Starlette 1.0.1. A free online scanner is freely available at badhost.org.