Starlette

1 posts

/badhost-starlette-cve-2026-48710/featured-image.png
BadHost Breaks Into FastAPI and vLLM With a Single Character

May 27, 2026

BadHost is one character in an HTTP header that bypasses authentication on FastAPI, vLLM, LiteLLM, and the Python MCP SDK. They all run on Starlette. Starlette …