Summary
Starlette patched a path-poisoning vulnerability (CVE-2026-48710) that allows attackers to bypass security middleware in AI agents and Python-based servers. The flaw enables unauthorized access to sensitive credentials and internal endpoints by manipulating the HTTP Host header.
Take Action:
If you're running applications built on Starlette, FastAPI, or LLM tools like vLLM, LiteLLM, or MCP servers, update Starlette to version 1.0.1 ASAP. While updating, put a reverse proxy (Nginx or Cloudflare) in front of your application to block malformed Host headers, and test your endpoints with the free scanner at BadHost.org.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
