- Description
- Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- starlette
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 2.5
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
- security-advisories@github.com
- CWE-444
- Hype score
- Not currently trending
BadHost CVE bypasses Starlette auth via Host headers. Compromises AI agents, LLM gateways, MCP servers. Patch CVE-2026-48710 now. https://t.co/RfInrCeVdj
@foursignalsdev
2 Jun 2026
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
おはモー🐮 【期限当日】LiteSpeed cPanel CVE-2026-48172、CISA KEV対処期限が今日5/29モー🐮 しかも StarletteのBadHost(CVE-2026-48710)も新たに来たモー… 今日の朝5分で: ✅ cPanelパッチ適用状況の最終確認 ✅ FastAPI/vLLM
@accell_mo_kun
28 May 2026
77 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
@ohdonpier flagged BadHost (CVE-2026-48710) in Starlette today. The point matters: MCP servers are credential aggregators by design. Vault keeps the keys outside the MCP server process, brokered per-call. One framework CVE doesn't drain everything. https://t.co/bnPfzDU0FY
@1clawAI
28 May 2026
180 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
BadHost – CVE-2026-48710: Starlette Host-Header Auth Bypass https://t.co/H5Tg5PRSrh FastAPI vuln
@jreuben1
28 May 2026
76 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#BadHost (CVE CVE-2026-48710) was also discovered in parallel by @_nlovin and Larry Yuan (https://t.co/HHeLTaXEw2), kudos!
@marver
27 May 2026
686 Impressions
0 Retweets
4 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:encode:starlette:*:*:*:*:*:python:*:*",
"matchCriteriaId": "4C7C6045-86A6-4FAC-AE15-B12438E9D1B4",
"versionEndExcluding": "1.0.1",
"versionStartIncluding": "0.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]