Starlette/FastAPI BadHost host-header authentication bypass

Starlette < 1.0.1 reconstructs request.url by concatenating the HTTP Host header with the request path and re-parsing the composite string, but validates each component under separate rules (X41 D-Sec Advisory x41-2026-002, 2026-05-22; GitHub Advisory GHSA-86qp-5c8j-p5mr). Injecting a /, ?, or # into the Host header (e.g. Host: example.com/health?x=) shifts the path boundary reported by request.url.path, causing middleware applying path-based access control to authorise access to an unintended route while the ASGI handler serves the attacker-specified one. A single curl -H 'Host: foo?' localhost:8000/admin bypasses authentication. Root cause: CWE-436 (Interpretation Conflict). CVSS 3.1 = 6.5 (GitHub Advisory); X41 scores 7.0 under CVSS 4.0. Affected: all Starlette versions ≥ 0.8.3, < 1.0.1; downstream dependents include FastAPI, vLLM, LiteLLM, Google ADK-Python, BentoML, Gradio, Langflow, Open WebUI, and the Python MCP SDK — approximately 325 million weekly downloads and 400,000+ GitHub dependents. Discovered by X41 D-Sec during an OSTIF-sponsored vLLM audit. Nginx, Apache, Caddy, Traefik, HAProxy, and Cloudflare all terminate malformed Host headers upstream; only direct-listen Python ASGI deployments without a compliant reverse proxy are exposed. No confirmed exploitation as of publication. NCSC-NL issued advisory NCSC-2026-0171 on 29 May; CCB Belgium issued a "Patch Immediately" advisory. Fix: upgrade Starlette to ≥ 1.0.1 (or pull FastAPI ≥ 0.115.5, vLLM ≥ 0.23.0, or the equivalent downstream package that pins the fixed Starlette). If patching is not immediately possible, place a compliant reverse proxy in front of any ASGI application using path-based access control. Detection: parse web-server access logs for Host header values containing /, ?, or # followed by path components.

CVE Summary Table