{
  "title": "Starlette CVE-2026-48710: BadHost Authentication Bypass",
  "summary": "Starlette CVE-2026-48710 (nicknamed 'BadHost') is a critical authentication bypass vulnerability affecting foundational Python web libraries like FastAPI, vLLM, and LiteLLM. An attacker can inject path boundary characters into the Host header to bypass path-based security middleware; this article provides dependency audits and HTTP log hunting scripts.",
  "date": "2026-05-26",
  "severity": "critical",
  "tags": [
    "starlette",
    "fastapi",
    "zero-day",
    "security-bypass",
    "cisa-kev"
  ],
  "sources_count": 2,
  "indicators": {
    "slug": "starlette-cve-2026-48710-badhost",
    "since": "2026-05-26T00:00:00Z",
    "until": "2026-05-26T23:59:59Z",
    "ecosystem": "",
    "cves": [
      "CVE-2026-48710"
    ],
    "cwes": [
      "CWE-346",
      "CWE-284"
    ],
    "advisoryIds": [],
    "products": [
      "Starlette (ASGI toolkit)",
      "Starlette",
      "FastAPI",
      "vLLM",
      "LiteLLM"
    ],
    "packages": [
      "starlette",
      "fastapi"
    ],
    "versions": [],
    "affectedVersions": [
      "Starlette < 1.0.1"
    ],
    "fixedVersions": [
      "1.0.1"
    ],
    "files": [],
    "paths": [],
    "services": [],
    "domains": [],
    "urls": [],
    "ips": [],
    "hashes": [],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": [
      "starlette",
      "fastapi",
      "Host",
      "/health"
    ]
  }
}