A vulnerability in the open-source Starlette framework could expose FastAPI-based AI infrastructure, LLM gateways and MCP servers to authentication bypass, SSRF and possible RCE attacks, prompting warnings that the flaw’s official severity rating understates its real-world impact.
A vulnerability in the open-source Python framework Starlette is exposing FastAPI-based AI infrastructure to authentication-bypass attacks, with researchers warning the flaw could ripple across thousands of downstream open-source projects.
Tracked as CVE-2026-48710, the flaw allows attackers to bypass host-validation protections using malformed Host headers. Researchers said the bug requires no password, no victim interaction and could enable authentication bypass, SSRF and, in some cases, remote-code execution.
The issue affects applications built on Starlette and FastAPI, including AI model-serving infrastructure, LLM gateways, MCP servers, OpenAI-compatible proxies and agent frameworks.
Researchers at X41 D-Sec discovered the flaw during an unrelated source-code audit and coordinated disclosure with the Open Source Technology Improvement Fund (OSTIF). A patch has since been released through an official GitHub security advisory, with users advised to upgrade to Starlette 1.0.1 or later.
According to the researchers, a single malformed character such as “/”, “?” or “#” can manipulate how Starlette reconstructs request URLs because the framework validates full URLs and individual URL parts using different parsing rules.
X41 D-Sec warned the flaw could lead to “authentication bypass to SSRF and other issues that in some cases even lead to remote-code-execution on the affected system.”
Secwest said the flaw’s severity score “materially understates the downstream impact,” warning the issue touches “most of the model-serving, gateway, proxy, eval, agent, and MCP-server infrastructure that has been stood up in the last two years.”
