A single malformed character in a web request can let an unauthenticated attacker slip past the access controls that guard applications built on Starlette, the open-source Python framework that powers FastAPI, researchers said.
The flaw, tracked as CVE-2026-48710 could allow attackers to bypass host-validation protections using malformed Host headers, according to an advisory from cybersecurity firm X41 D-Sec.
The attacker needs no password and no action from a victim, it said.
Starlette’s maintainer released a patch through an official GitHub security advisory after X41 D-Sec disclosed the vulnerability in coordination with the Open Source Technology Improvement Fund (OSTIF). They found the flaw during an unrelated source-code audit, and traced it to Starlette rather than the application under review.
“This bug is a classic ‘responsibility gap’ where if this maintainer didn’t patch, thousands of exposed projects would have to individually secure their projects,” OSTIF said.
The researchers have created a website, badhost.org, that can test websites for the vulnerability.
Exploiting the bug
The flaw lies in how Starlette rebuilds the address of an incoming request, according to X41 D-Sec. The framework joins the Host header sent by the client to the path that was requested to form a complete URL, but parses the whole and the parts for validity using different rules.
A Host header containing a slash, question mark or hash character shifts where the path begins, the researchers said, so the path Starlette reports no longer matches the one the server actually received.
That gap is where the risk lies, according to the firm. Starlette routes the request to the real path, but middleware and endpoints read the altered one. An application that restricts sensitive routes by checking the path it sees can let a request through while still running the protected route behind it.
X41 D-Sec published a demonstration with its advisory. The researchers sent a request to a protected administrative page and received a “403 Forbidden” response. They sent the same request with one extra character in the Host header, and the page returned a “200 OK.” The same pattern has surfaced in other recent authentication-bypass flaws in open-source AI frameworks.
Severity rating under dispute
Starlette’s maintainer rated the flaw at 6.5 out of 10, or Moderate, on the CVSS scale in the GitHub advisory. X41 D-Sec rated it 7.0, or High, and said the danger to software built on Starlette runs higher than either figure suggests.
The damage an attacker can do depends on what each application does with the forged path. X41 D-Sec said it found several open-source projects whose security checks rely on the reconstructed address. In those projects, the single-character flaw could chain into “authentication bypass to SSRF and other issues that in some cases even lead to remote-code-execution on the affected system,” the researchers wrote.
The reach extends well past Starlette itself. A separate advisory from security firm Secwest on the flaw said the score “materially understates the downstream impact” and warned that the bug touches “most of the model-serving, gateway, proxy, eval, agent, and MCP-server infrastructure that has been stood up in the last two years.”
Affected software includes model-serving tools, API gateways, OpenAI-compatible proxies, agent frameworks and Model Context Protocol servers built on FastAPI, according to X41 D-Sec and Secwest.
An application can be exposed even if its developers never installed Starlette, because another component may have, X41 D-Sec said. Starlette has more than 400,000 dependent projects on GitHub, according to the firm.
Who is most exposed
Not every dependent project is equally at risk, X41 D-Sec said. Whether an application can be attacked comes down to how it is. The dividing line is the reverse proxy: A proxy such as nginx or Apache HTTP Server rejects the malformed request before it reaches the application, and production websites usually sit behind such a layer. Research, evaluation and development setups for AI software often do not, and many run the application server facing the network directly, it said.
Three groups face the most exposure, according to X41 D-Sec: those running a FastAPI or Starlette application directly on an application server with no compliant reverse proxy in front; those exposing a model proxy such as LiteLLM or vLLM as a directly reachable endpoint; and those whose access-control code reads the reconstructed request address rather than the raw path.
The researchers advised teams to upgrade to Starlette 1.0.1 or later, which validates the Host header and rejects malformed values.
No Responses