Mastodawn

3/3

This is a supply chain story dressed as a CVE. The ecosystem was built too fast. Security assumed it would catch up. It hasn't.

Digital sovereignty without perimeter defence is just security theatre. If you're running MCP servers and you skip the proxy because 'it adds complexity,' you've already lost.

https://haunted.lighthouse.co.im/articles/badhost-mcp-sovereignty/

#BadHost #CVE202648710 #Starlette #FastAPI #MCP #SupplyChain #CyberSecurity #DigitalSovereignty #ShadowIT #Architecture

BadHost and the Shrug: How a Single HTTP Header Unravels Digital Sovereignty

CVE-2026-48710 exposes MCP servers through a trivial HTTP Header parsing flaw. But the real story is why patches won't fix it: shadow IT deployments skip the proxy layer because it 'adds complexity.' When digital sovereignty depends on a shrug, you've already lost.

Daniel Marsh 4d ago

A fundamental parsing issue in Starlette, dubbed BadHost (CVE-2026-48710), enables attackers to bypass authentication by manipulating the HTTP Host header. This vulnerability, with historical parallels, critically impacts AI systems built on FastAPI, vLLM, and LiteLLM, which rely on Starlette. The attack chain is surprisingly simple, making immediate patching (Starlette 1.0.1) and…

https://www.tpp.blog/2e83vb7

#cybersecurity #starlette #cve202648710

🤖 This post was AI-generated.