BadHost CVE-2026-48710: Single character in HTTP Host header bypasses auth on millions of AI agent MCP servers

Timeline

1. 2026-05-26

   X41 D-Sec discovers CVE-2026-48710 (BadHost) in Starlette; Secwest co-publishes research documenting scope across vLLM, LiteLLM, TGI, most Python MCP server tooling.

2. 2026-05-26

   Nemesis partners with X41 D-Sec to launch public scanner (mcp-scan.nemesis.services) to detect vulnerable servers.

3. 2026-05-26

   Starlette 1.0.1 released with fix. Ars Technica publishes coverage. Researchers report confirmed in-the-wild exposure across biopharma, IoT, email/SaaS, and cloud monitoring.

4. 2026-05-26

   CVSS 7.0 assigned; X41 D-Sec publicly states rating materially understates severity given the breadth of affected MCP infrastructure.

5. Ongoing

   Millions of production servers still running pre-1.0.1 Starlette. Operators advised to run scanner and patch immediately.

Technical breakdown

• Starlette reconstructs the request URL from the HTTP Host header and path, but does not validate the Host header value. An injected character causes request.url.path to differ from the actual HTTP path used by Starlette's router.
• Auth middleware that relies on request.url.path (the reconstructed value) evaluates the wrong path — approving requests the router would route to protected endpoints.
• FastAPI is built directly on Starlette, inheriting the vulnerability. vLLM, LiteLLM, Text Generation Inference, and most OpenAI-shim proxies use FastAPI, making the entire Python AI inference stack affected.
• MCP servers are high-value targets: they store credentials for every external system they bridge. A BadHost bypass gives an attacker the keys to every system a compromised MCP server is authorized to reach.
• In some configurations, the vulnerability leads to SSRF or full remote code execution, not just auth bypass — the auth bypass is the minimum impact case.