CVE-2026-48710 BadHost: Starlette Host-Header Authentication Bypass Threatens Millions of AI Servers (FastAPI, vLLM, LiteLLM, MCP Servers)
Date: 2026-06-30
Tags: mcp-security, malicious-tool
Executive Summary
CVE-2026-48710 (BadHost) stems from how Starlette constructs request URLs, with the framework taking the HTTP Host header — freely manipulable by an attacker — and concatenating it with the request path without any prior validation, resulting in unauthenticated manipulation of request-processing logic. A host-header injection flaw in Starlette — the ASGI core behind FastAPI and most of Python's AI serving stack — lets unauthenticated attackers bypass path-based authentication middleware without a single credential, affecting all Starlette versions before 1.0.1, with the blast radius including vLLM, LiteLLM, MCP servers, and thousands of AI agent backends. Security firm Sysdig documented the first live cyberattack in which an LLM agent autonomously performed post-exploitation actions -- including exfiltrating an AWS database -- in under an hour.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | BadHost Authentication Bypass (CVE-2026-48710) |
| Attribution | X41 D-Sec (discovery and coordination) (confidence: none) |
| Target | FastAPI applications, vLLM inference servers, LiteLLM proxy layers, MCP servers, custom AI agent frameworks |
| Vector | Malformed HTTP Host header injection bypassing path-based authentication |
| Status | active |
| First Observed | 2026-05-27 |
Detailed Findings
Sysdig documented the first live cyberattack in which an LLM agent autonomously performed post-exploitation actions -- including exfiltrating an AWS database -- in under an hour, exploiting CVE-2026-48710, a critical authentication bypass in Starlette (CVSS score not yet published at time of reporting, but described as critical) that affects millions of AI agents, FastAPI applications, vLLM deployments, LiteLLM instances, and every MCP server built on those frameworks. In the documented attack, the threat actor used an LLM agent to: identify the vulnerability in a target system, generate and execute exploit code autonomously, escalate privileges inside the compromised environment, identify and exfiltrate the target AWS database, and exfiltrate data, all without human direction of individual steps. FastAPI, the most popular Python web framework for AI applications, is built on Starlette — any FastAPI app using request.url.path in custom BaseHTTPMiddleware or raw ASGI middleware for auth decisions is affected, and MCP (Model Context Protocol) servers and FastMCP integrations are especially at risk because the MCP specification mandates unauthenticated OAuth discovery endpoints, providing attackers a reliable path for exploitation. A lack of input sanitization on host header paths in Starlette leads to bypassing auth with a single character across a huge swath of Python LLM infrastructure, hitting very large and prominent projects such as FastAPI, LiteLLM, vLLM, text generation inference projects, most OpenAI shim proxies, MCP servers, Agent harnesses, eval dashboards and model-management UIs.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Authentication Bypass | T1556 | Host header injection bypasses path-based authentication middleware by manipulating request.url construction |
| Privilege Escalation | T1548 | Bypass of auth middleware grants access to restricted API endpoints (MCP tools, LLM model endpoints, credential stores) |
| LLM Agent Autonomy Exploitation | T1649 | Compromised AI agent autonomously performs post-exploitation: reconnaissance, privilege escalation, data exfiltration |
IOCs
Domains
_Fix available in Starlette 1.0.1 onward. Scanner available at badhost.org for identifying affected applications. Not exploited at scale as of window close, but first autonomous LLM agent exploitation confirmed by Sysdig in June 2026._
Full URL Paths
https://badhost.org/
https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette/Splunk Format
"https://badhost.org/" OR "https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette/"Affected Platforms
Starlette (all versions < 1.0.1)
FastAPI
vLLM
LiteLLM
MCP servers
OpenAI proxy shims
Text generation inference projectsDetection Recommendations
MCP (Model Context Protocol) servers and FastMCP integrations are especially at risk because the MCP specification mandates unauthenticated OAuth discovery endpoints, providing attackers a reliable path for exploitation, and the bypass enables unauthorized access to LLM APIs, agent tooling, model endpoints, and internal AI infrastructure. Immediate remediation: upgrade all Starlette, FastAPI, vLLM, and LiteLLM instances to latest patched versions; audit custom BaseHTTPMiddleware and raw ASGI middleware for request.url.path usage in auth logic (unsafe); deploy reverse proxy (nginx, Apache, Cloudflare) with strict Host header validation in front of AI backends; implement network segmentation isolating AI serving infrastructure; disable or restrict MCP OAuth discovery endpoints where not required; monitor HTTP request logs for anomalous Host header values (containing /, ?, #); use badhost.org scanner to identify vulnerable endpoints; enforce host header allowlists in FastAPI configuration.
References
- [X41 D-Sec (via OSTIF)] Disclosing the BADHOST Vulnerability in Starlette (2026-05-26) — https://ostif.org/disclosing-the-badhost-vulnerability-in-starlette/
- [BadHost.org] BadHost – CVE-2026-48710: Starlette Host-Header Auth Bypass (2026-05-28) — https://badhost.org/
- [byteiota] CVE-2026-48710 BadHost: Starlette Flaw Hits AI Agents (2026-05-27) — https://byteiota.com/cve-2026-48710-badhost-starlette-fastapi-ai-agents/
- [Build Fast with AI] AI News Today - June 1, 2026: 11 Biggest Stories (includes Sysdig autonomous LLM agent exploitation) (2026-06-01) — https://www.buildfastwithai.com/blogs/ai-news-today-june-1-2026