Mastodawn

There's an update for the Starlette issue: We've scanned thousands of hosts for CVE-2026-48710 and found something important: Being behind a proxy or CloudFlare isn't always a protection unlike previously stated!
When a reverse proxy or CDN (including Cloudflare) sits in front of the target and rejects malformed Host headers, the X-Forwarded-Host header can sometimes be used to bypass the protection! If the backend middleware reads X-Forwarded-Host and updates the ASGI scope, the malicious value can reach the ASGI and Starlette. #badhost

X41 D-Sec GmbH 6d ago

Markus Vervier 👾6d ago

While everyone was on Holiday we scanned a few thousand hosts for #BadHost (CVE-2026-48710): zero auth required and we found clinical trial databases, email mailboxes, MCP server for SSH industrial IoT via bastion servers, and live PII APIs wide open. The FastAPI/MCP ecosystem is sitting exposed - patch to Starlette 1.0.1 now and check your exposure at https://badhost.org

BadHost - CVE-2026-48710 Starlette Host-Header Auth Bypass

Scan your Starlette or FastAPI server for CVE-2026-48710 (BadHost): a critical auth bypass via Host header injection affecting MCP servers, LLM proxies, AI agent frameworks, and thousands of Python ASGI applications.

CVE-2026-48710 - Nemesis - BadHost

X41 D-Sec GmbH May 22

Markus Vervier 👾May 22

Patch Starlette now! If you're run it via uvicorn or other common ASGI servers then a host header parsing issue can lead to vulnerabilities leading from auth bypass up until RCE! Examples for affected packages are liteLLM, vllm, etc... Here is the X41 Advisory:

https://x41-dsec.de/lab/advisories/x41-2026-002-starlette/

Advisory X41-2026-002: Request Host Header not Validated in Starlette

Missing Host header validation leads to misleading URL path in Starlette

X41 D-Sec - Penetration Tests and Source Code Audits

Show thread

X41 D-Sec GmbH Jan 21

@mullvadnet blogpost can be found at https://mullvad.net/en/blog/new-security-audit-of-account-and-payment-services

New security audit of account and payment services

Late last year X41 D‑Sec GmbH performed a white‑box source‑code audit of the Mullvad payment and account API and its supporting backend services.

Mullvad VPN

X41 D-Sec GmbH Jan 21

After auditing the @mullvadnet client applications in 2024, we have recently audited Mullvad VPN's API.
The API is used by clients, partners, and internal services to manage user accounts and parts of the VPN infrastructure.
Five issues were identified, of which only one had a very limited impact on users of the service.

The technical details may be found in our report. https://www.x41-dsec.de/security/research/news/2026/01/20/mullvad/

X41 Audited Mullvad VPN AB API

X41 releases the audit report of Mullvad VPN AB’s API and connected services

X41 D-Sec - Penetration Tests and Source Code Audits

X41 D-Sec GmbH Mar 12, 2025

https://x41-dsec.de/security/training/tableopt/exercise/2025/03/12/tabletop-exercises/

What are Tabletop Exercises (TTX) and why they matter to companies.

Intro to Tabletop Exercises (TTX)

What is a tabletop exercise (TTX) and why your company should run one.

X41 D-Sec

X41 D-Sec GmbH Mar 10, 2025

X41 performed an audit of Hickory DNS which is an open source Rust based DNS client, server, and resolver. We were sponsored by the great folks at @ostifofficial and supported by @ProssimoISRG

Our full report can be downloaded here: https://x41-dsec.de/security/research/job/news/2025/03/10/hickory-review-2025/