{
  "title": "Starlette CVE-2026-48710: BadHost Authentication Bypass",
  "summary": "Starlette CVE-2026-48710 (BadHost) is a Host-header URL reconstruction flaw fixed in Starlette 1.0.1. New OSTIF, X41, Tenable, and BadHost scanner sources clarify that the highest-risk deployments are FastAPI/Starlette/LLM services whose middleware makes security decisions from request.url.path.",
  "date": "2026-05-26",
  "severity": "critical",
  "tags": [
    "starlette",
    "fastapi",
    "zero-day",
    "security-bypass"
  ],
  "sources_count": 5,
  "indicators": {
    "slug": "starlette-cve-2026-48710-badhost",
    "since": "2026-05-26T00:00:00Z",
    "until": "2026-05-26T23:59:59Z",
    "ecosystem": "",
    "cves": [
      "CVE-2026-48710"
    ],
    "cwes": [
      "CWE-346",
      "CWE-284"
    ],
    "advisoryIds": [],
    "products": [
      "Starlette (ASGI toolkit)",
      "Starlette",
      "FastAPI applications with affected middleware",
      "vLLM/LiteLLM/MCP services using affected middleware"
    ],
    "packages": [
      "starlette",
      "fastapi"
    ],
    "versions": [],
    "affectedVersions": [
      "Starlette < 1.0.1"
    ],
    "fixedVersions": [
      "1.0.1"
    ],
    "files": [],
    "paths": [],
    "services": [],
    "domains": [],
    "urls": [],
    "ips": [],
    "hashes": [],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": [
      "starlette",
      "fastapi",
      "Host",
      "/health"
    ]
  }
}