CVE-2026-48710 "BadHost" — Starlette pre-auth host-header auth bypass across the Python AI/ASGI stack

X41 D-Sec disclosed (via OSTIF) a pre-authentication authentication bypass in Starlette triggered by a malformed Host header (CVE-2026-48710, CVSS 6.5, first covered 2026-05-30; NCSC-NL NCSC-2026-0171). The reason it earns an H3 despite the medium CVSS is the dependency blast radius: Starlette is the ASGI core under FastAPI, vLLM, LiteLLM and the MCP Python SDK, so a single transitive dependency carries the flaw into a large slice of the Python AI-serving and agent tooling that public-sector teams are standing up this year. PoC is public. Pin Starlette to the fixed release across the dependency tree and front affected services with a proxy that normalises or rejects malformed Host headers.