Starlette Vulnerability Exposes vLLM, MCP Servers, and Most of Python AI Tooling
A single character injected into an HTTP Host header bypasses path-based authorization in Starlette. That is the entirety of CVE-2026-48710, nicknamed BadHost. The patched version, 1.0.1, shipped May 23, 2026.
How Large Is the Blast Radius
Starlette downloads 325 million times per week. It is the routing core of FastAPI. That means BadHost touches a significant portion of Python AI infrastructure by default, not by coincidence.
Confirmed affected packages: vLLM (where the bug was originally discovered), LiteLLM, FastAPI, Text Generation Inference, OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs. That covers most of what teams run when serving models at any scale.
The Severity Discrepancy
Official CVSS rating: 7 out of 10. The researchers who found it classify it as critical. The gap between those two numbers is worth paying attention to.
CVSS scores reflect the general case. The actual impact depends on what is running behind the authorization check. In AI tooling, the answer is often: a lot.
MCP Servers Are the Notable Exposure
MCP, the model context protocol, lets AI agents connect to external data sources. Databases, email, calendars. MCP servers store credentials for those systems.
Bypassing authorization on an MCP server does not just expose the server. It exposes whatever the server has keys to. Agent infrastructure accumulates privileged access by design. That makes it a more valuable target than the model endpoint itself.
What to Do
Update Starlette to 1.0.1. Security firms X41 D-Sec and Nemesis built an online scanner to check if a server is vulnerable before patching.
The fix has been available since May 23. If running any of the affected packages in a network-accessible configuration, path-based authorization is providing false confidence until the update is applied.
Source: Arstechnica