Authentication Bypass in Starlette and FastAPI via BadHost CVE-2026-48710
CVE-2026-48710 identifies a critical vulnerability in the Starlette framework's handling of the Host header, which directly facilitates authentication bypasses in downstream frameworks, most notably FastAPI. The flaw arises from a technical discrepancy between the framework's internal routing logic and its URL reconstruction mechanism. When an application performs security-critical operations—such as access control checks or authentication validation—by inspecting the request.url attribute rather than the raw request path, it becomes susceptible to manipulation via malformed Host headers. By injecting special characters such as /, ?, or # into the Host header, an attacker can decouple the perceived URL used by security middleware from the actual path processed by the Starlette router. This divergence allows requests to bypass authentication layers while still reaching sensitive endpoints, creating an exploit chain that can progress from Authentication Bypass to Server-Side Request Forgery (SSRF) and ultimately Remote Code Execution (RCE). Remediation requires updating Starlette to version 1.0.1, which implements strict validation to reject malformed Host headers.