A critical security vulnerability (CVE-2026-48710) has been discovered in Starlette web framework affecting versions before 1.0.1, allowing attackers to bypass path-based authentication by manipulating the Host header. The flaw impacts thousands of applications built with Starlette and FastAPI, including major AI infrastructure like vLLM, LiteLLM, and MCP servers. Users are advised to update to Starlette 1.0.1+ and avoid path-based auth middleware in favor of endpoint-based authentication.
Background
Starlette is a popular ASGI framework for building web applications in Python, commonly used as the foundation for FastAPI and many AI/ML serving frameworks. Path-based authentication middleware is a common pattern in web applications for restricting access to certain URL paths.
- Source
- Lobsters
- Published
- May 27, 2026 at 03:32 PM
- Score
- 9.0 / 10