Starlette flaw lets attackers bypass authentication on any FastAPI app using path-based auth

Security researchers at X41 D-Sec, working on an OSTIF-funded audit of the vLLM inference framework, discovered a critical authentication bypass vulnerability in Starlette — the Python ASGI framework that underpins FastAPI and a broad ecosystem of AI agent infrastructure. Tracked as CVE-2026-48710 and named BadHost, the flaw allows an attacker to manipulate the HTTP Host header to make Starlette report a different URL path than the one the web server actually routed — bypassing any middleware that uses request.url.path for access control decisions. The fix is available in Starlette 1.0.1.

The scope of exposure is wide. Starlette has more than 400,000 dependents on GitHub and over 325 million weekly downloads on PyPI. Affected applications include anything built on FastAPI with path-based authentication middleware, along with a specific set of AI infrastructure tools: vLLM, LiteLLM, Model Context Protocol (MCP) servers, FastMCP, Google's ADK-Python, Ray Serve, and BentoML are all vulnerable when custom auth middleware is in place.

How the Attack Works

HTTP requests include a Host header that identifies the target domain. Starlette constructs its request.url object by concatenating the raw Host header with the request path, then re-parses the combined string back into a URL object. The problem: Starlette did not validate that the Host header conforms to RFC 9112 grammar before using it in this construction. An attacker can inject path-separator characters — /, ?, or # — into the Host header, which shifts what the parser sees as the path, query, and fragment when it re-parses the assembled URL.

The result is a split view: the ASGI server routes the request to the real path (say, /admin), but request.url.path — what the authentication middleware reads — reports the attacker-controlled path instead (/health, or any other benign path the middleware would allow through). The X41 advisory includes a proof-of-concept as simple as:

curl -H 'Host: foo?' localhost:8000/admin

On a vulnerable server with path-based auth, this returns 200 OK from the protected /admin endpoint rather than a 403 Forbidden.

The reason the vulnerability went undetected for so long is that it emerges from the interaction of three layers that each appear reasonable in isolation: ASGI servers pass the raw Host header through without validation; Starlette trusts it for URL construction; and middleware developers assume request.url.path is a safe, server-authoritative value for access control. No single layer is broken on its own.

Who Is Affected

The vulnerability matters most for applications that gate access to protected endpoints using middleware that checks the request path. This is a common pattern in FastAPI applications where a path prefix (like /admin, /internal, or /v1/private) determines authorization. Applications that use FastAPI's built-in Depends() or Security() decorators at the individual route level are generally not affected, because those mechanisms check authorization at route resolution time rather than via path inspection in middleware.

The AI infrastructure impact is the most acute concern. MCP servers — which implement the Model Context Protocol for connecting AI agents to tools and data sources — are particularly exposed because the MCP specification mandates unauthenticated OAuth discovery endpoints, giving attackers a known reliable bypass path without needing to guess which paths are unprotected. vLLM and LiteLLM, widely used for serving and proxying large language models in production, are affected when they sit behind custom Starlette-based authentication middleware. Google's ADK-Python, the Python SDK for building AI agents with Google's models, is also in the affected list.

Remediation

The primary fix is upgrading to Starlette 1.0.1, which rejects Host headers containing invalid characters rather than using them for URL construction. For applications that cannot immediately upgrade, the mitigation is to replace any use of request.url.path in authentication or authorization middleware with scope["path"] — the ASGI scope path, which comes directly from the HTTP request line and is not influenced by the Host header. The longer-term recommendation is to avoid path-based authentication in middleware entirely in favor of FastAPI's route-level Depends() and Security() mechanisms.

The research team released detection tooling alongside the disclosure: Semgrep rules, CodeQL queries for static analysis, and a free scanner at badhost.org that can test endpoints directly. The scanner supports three modes — MCP-specific, AI infrastructure auto-discovery, and custom path testing — so teams can assess exposure without reading the advisory in full.

CVE-2026-48710 was discovered on January 27, 2026 and coordinated for public disclosure on May 21–22, 2026, following the Starlette 1.0.1 patch. Full technical details are in the X41 advisory at x41-dsec.de.