ctipilot.ch

Starlette/FastAPI host-header auth bypass (BadHost)

cve · CVE-2026-48710

Coverage timeline
3
first 2026-05-25 → last 2026-06-09
Peak priority
high
2 high · 1 notable
Sources cited
8
7 hosts
Sections touched
2
trending-vulnerabilities, weekly-vuln-rollup
Co-occurring entities
2
see Related entities below
ATT&CK techniques
0
no mapped behavior yet

Story timeline

  1. 2026-06-09CVE-2026-42271 — BerriAI LiteLLM: low-privilege command injection to host RCE, added to CISA KEV
    trending-vulnerabilities
  2. 2026-05-30CVE-2026-48710 "BadHost" — Starlette (FastAPI / vLLM / LiteLLM / MCP SDK): Pre-Auth Auth Bypass via Malformed Host Header
    trending-vulnerabilities
  3. 2026-05-25CVE-2026-48710 "BadHost" — Starlette pre-auth host-header auth bypass across the Python AI/ASGI stack
    weekly-vuln-rollup

Where this entity is cited

  • trending-vulnerabilities2
  • weekly-vuln-rollup1

Source distribution

  • github.com2 (25%)
  • advisories.ncsc.nl1 (12%)
  • badhost.org1 (12%)
  • blog.checkpoint.com1 (12%)
  • horizon3.ai1 (12%)
  • ostif.org1 (12%)
  • security.paloaltonetworks.com1 (12%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about Starlette/FastAPI host-header auth bypass (BadHost) (3)

2026-06-09 · view entry permalink →

HIGHCVE-2026-42271 +1exploited

CVE-2026-42271 — BerriAI LiteLLM: low-privilege command injection to host RCE, added to CISA KEV

CISA added CVE-2026-42271 to its KEV catalog on 8 June 2026, confirming active exploitation of a command-injection flaw in LiteLLM, the open-source AI gateway/proxy widely deployed to multiplex LLM API calls in enterprise AI stacks (GitHub Advisory GHSA-v4p8-mg3p-g94g). Two preview endpoints — POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list — accept a full MCP server configuration (command, args, env) in the request body; with stdio transport, the proxy spawns the supplied command on the host under the proxy's privileges. The endpoints were gated only by a valid API key with no role check, so any authenticated user (including low-privilege internal keys) could execute arbitrary commands. Horizon3.ai documents that chaining with CVE-2026-48710 (a Starlette Host-header validation bypass) makes the path unauthenticated (Horizon3.ai, 2026-06-01). Affected: LiteLLM 1.74.2 to < 1.83.7; fixed in 1.83.7, which adds role-based authorization on the MCP test endpoints.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-50751 Check Point Security Gateway (IKEv1 Remote Access / Mobile Access VPN) 9.3 n/a Yes (2026-06-08) Yes (since 2026-05-07, Qilin affiliate) Hotfix sk185033 Check Point
CVE-2026-42271 BerriAI LiteLLM proxy (1.74.2 → < 1.83.7) 8.7 n/a Yes (2026-06-08) Yes (CISA-confirmed) Upgrade to 1.83.7 GitHub Advisory

CISA added CVE-2026-42271 to its KEV catalog on 8 June 2026, confirming active exploitation of a command-injection flaw in LiteLLM, the open-source AI gateway/proxy widely deployed to multiplex LLM API calls in enterprise AI stacks (GitHub Advisory GHSA-v4p8-mg3p-g94g).

ctipilot v2 brief (migrated)
vulnerability09 Jun 05:00Zmulti-sourceOpen finding ↗

2026-05-30 · view entry permalink →

CVE-2026-48710 "BadHost" — Starlette (FastAPI / vLLM / LiteLLM / MCP SDK): Pre-Auth Auth Bypass via Malformed Host Header

Starlette < 1.0.1 reconstructs request.url by concatenating the HTTP Host header with the request path and re-parsing the composite string, but validates each component under separate rules (X41 D-Sec Advisory x41-2026-002, 2026-05-22; GitHub Advisory GHSA-86qp-5c8j-p5mr). Injecting a /, ?, or # into the Host header (e.g. Host: example.com/health?x=) shifts the path boundary reported by request.url.path, causing middleware applying path-based access control to authorise access to an unintended route while the ASGI handler serves the attacker-specified one. A single curl -H 'Host: foo?' localhost:8000/admin bypasses authentication. Root cause: CWE-436 (Interpretation Conflict). CVSS 3.1 = 6.5 (GitHub Advisory); X41 scores 7.0 under CVSS 4.0. Affected: all Starlette versions ≥ 0.8.3, < 1.0.1; downstream dependents include FastAPI, vLLM, LiteLLM, Google ADK-Python, BentoML, Gradio, Langflow, Open WebUI, and the Python MCP SDK — approximately 325 million weekly downloads and 400,000+ GitHub dependents. Discovered by X41 D-Sec during an OSTIF-sponsored vLLM audit. Nginx, Apache, Caddy, Traefik, HAProxy, and Cloudflare all terminate malformed Host headers upstream; only direct-listen Python ASGI deployments without a compliant reverse proxy are exposed. No confirmed exploitation as of publication. NCSC-NL issued advisory NCSC-2026-0171 on 29 May; CCB Belgium issued a "Patch Immediately" advisory. Fix: upgrade Starlette to ≥ 1.0.1 (or pull FastAPI ≥ 0.115.5, vLLM ≥ 0.23.0, or the equivalent downstream package that pins the fixed Starlette). If patching is not immediately possible, place a compliant reverse proxy in front of any ASGI application using path-based access control. Detection: parse web-server access logs for Host header values containing /, ?, or # followed by path components.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-0257 Palo Alto PAN-OS GlobalProtect 7.8 (CVSS 4.0) Yes (2026-05-29) Yes — ITW waves 2026-05-18, 2026-05-21 10.2.7-h34+, 11.1.4-h33+, 11.2.4-h17+, 12.1.4-h6+ PAN PSIRT
CVE-2026-48710 Starlette / FastAPI / vLLM / LiteLLM / MCP SDK 6.5 (CVSS 3.1) / 7.0 (CVSS 4.0) No No confirmed exploitation Starlette ≥ 1.0.1 GitHub Advisory
vulnerability30 May 05:00Zmulti-sourceOpen finding ↗

2026-05-25 · view entry permalink →

CVE-2026-48710 "BadHost" — Starlette pre-auth host-header auth bypass across the Python AI/ASGI stack

X41 D-Sec disclosed (via OSTIF) a pre-authentication authentication bypass in Starlette triggered by a malformed Host header (CVE-2026-48710, CVSS 6.5, first covered 2026-05-30; NCSC-NL NCSC-2026-0171). The reason it earns an H3 despite the medium CVSS is the dependency blast radius: Starlette is the ASGI core under FastAPI, vLLM, LiteLLM and the MCP Python SDK, so a single transitive dependency carries the flaw into a large slice of the Python AI-serving and agent tooling that public-sector teams are standing up this year. PoC is public. Pin Starlette to the fixed release across the dependency tree and front affected services with a proxy that normalises or rejects malformed Host headers.

vulnerability25 May 05:00Zmulti-sourceOpen finding ↗