Markus Vervier 👾2d ago
PSA: we had to pause the month of bypasses (http://github.com/persistent-security/month-of-bypasses
) because of the #badhost situation, it will be continued as soon as things calm down!
GitHub - persistent-security/month-of-bypasses: Proof-of-Concepts for Detection Engineering Purposes Only

Proof-of-Concepts for Detection Engineering Purposes Only - persistent-security/month-of-bypasses

GitHub
al3d ago

3/3

This is a supply chain story dressed as a CVE. The ecosystem was built too fast. Security assumed it would catch up. It hasn't.

Digital sovereignty without perimeter defence is just security theatre. If you're running MCP servers and you skip the proxy because 'it adds complexity,' you've already lost.

https://haunted.lighthouse.co.im/articles/badhost-mcp-sovereignty/

#BadHost #CVE202648710 #Starlette #FastAPI #MCP #SupplyChain #CyberSecurity #DigitalSovereignty #ShadowIT #Architecture

BadHost and the Shrug: How a Single HTTP Header Unravels Digital Sovereignty

CVE-2026-48710 exposes MCP servers through a trivial HTTP Header parsing flaw. But the real story is why patches won't fix it: shadow IT deployments skip the proxy layer because it 'adds complexity.' When digital sovereignty depends on a shrug, you've already lost.

The New Oil3d ago

Millions of #AI agents imperiled by critical vulnerability in #OpenSource package

https://arstechnica.com/information-technology/2026/05/millions-of-ai-agents-imperiled-by-critical-vulnerability-in-open-source-package/

#cybersecurity #BadHost #Starlette #AIAgent #AgenticAI

Millions of AI agents imperiled by critical vulnerability in open source package

BadHost" was found in Starlette, a package with 325 million weekly downloads.

Ars Technica
X41 D-Sec GmbH3d ago
There's an update for the Starlette issue: We've scanned thousands of hosts for CVE-2026-48710 and found something important: Being behind a proxy or CloudFlare isn't always a protection unlike previously stated!
When a reverse proxy or CDN (including Cloudflare) sits in front of the target and rejects malformed Host headers, the X-Forwarded-Host header can sometimes be used to bypass the protection! If the backend middleware reads X-Forwarded-Host and updates the ASGI scope, the malicious value can reach the ASGI and Starlette. #badhost
Hacker News4d ago

BadHost – CVE-2026-48710: Starlette Host-Header Auth Bypass

https://badhost.org/

#HackerNews #BadHost #CVE-2026-48710 #Starlette #Security #Vulnerability #Auth #Bypass

BadHost - CVE-2026-48710 Starlette Host-Header Auth Bypass

Scan your Starlette or FastAPI server for CVE-2026-48710 (BadHost): a critical auth bypass via Host header injection affecting MCP servers, LLM proxies, AI agent frameworks, and thousands of Python ASGI applications.

CVE-2026-48710 - Nemesis - BadHost
Meteora Web4d ago

🚨 NEWS: Due minacce alla sicurezza digitale — la vulnerabilità BadHost in Starlette e il data leak del portale visti UK

Ecco i punti chiave in breve:
💡 Il panorama della sicurezza informatica è stato scosso da due incidenti di portata molto diversa ma ugualmente preoccupanti. Da un lato, una vulnerabilità critica in un pacchetto o...

🚀 LINK: https://meteoraweb.com/news/due-minacce-alla-sicurezza-digitale-la-vulnerabilita-badhost-in-starlette-e-il-data-leak-del-portale-visti-uk

#sicurezzaInformatica #starlette #badHost #dataLeak #uKVisa

OSTIF5d ago

During a security audit of vLLM managed by OSTIF.org, a bug was discovered through manual analysis by a senior security expert at X41 D-Sec.

A lack of input sanitization on host header paths in Starlette leads to bypassing auth with a single character across a huge swath of Python LLM infrastructure.

Update to Starlette 1.0.1 as soon as possible and read more about this vulnerability on https://badhost.org

#OSTIF #BadHost #vLLM #X41DSec

Markus Vervier 👾5d ago
While everyone was on Holiday we scanned a few thousand hosts for #BadHost (CVE-2026-48710): zero auth required and we found clinical trial databases, email mailboxes, MCP server for SSH industrial IoT via bastion servers, and live PII APIs wide open. The FastAPI/MCP ecosystem is sitting exposed - patch to Starlette 1.0.1 now and check your exposure at https://badhost.org
BadHost - CVE-2026-48710 Starlette Host-Header Auth Bypass

Scan your Starlette or FastAPI server for CVE-2026-48710 (BadHost): a critical auth bypass via Host header injection affecting MCP servers, LLM proxies, AI agent frameworks, and thousands of Python ASGI applications.

CVE-2026-48710 - Nemesis - BadHost
c.gerrishDec 19, 2022

Even after moving to Mastodon, I can't handle Andrea Mitchell on MSNBC. For some reason I keep giving her a chance and within seconds she something to cause me to change the channel.

#MSNBC #AndreaMitchell #BadHost #NotGoodAtAskingQuestions