Tools
Critical "BadHost" Vulnerability in Starlette Exposes Millions of AI Agents
A high-severity vulnerability in Starlette, the base framework for FastAPI, vLLM, and LiteLLM, allows attackers to bypass authentication on servers running AI agents via unvalidated Host headers.
Critical "BadHost" Vulnerability in Starlette Exposes Millions of AI Agents
A high-severity vulnerability tracked as **X41-2026-002 ("BadHost")** has been disclosed in Starlette, the foundational ASGI framework that underpins FastAPI, vLLM, LiteLLM, and thousands of other Python web services. The flaw allows attackers to bypass authentication on servers running AI agents by injecting malicious Host headers.
What happened
Security researchers at **X41 D-Sec GmbH** (JJ, Yassine El Baaj, and Markus Vervier) discovered that Starlette versions 0.8.3 through 1.0.0 accept **any value in the HTTP Host header without validation**. Because Starlette reconstructs the request URL from this header, an attacker can craft a Host value that points to a path on the server, effectively bypassing authentication middleware.
The vulnerability is present in Starlette's `request.url` object, which middlewares and endpoints rely on for authentication decisions. Since the Host header value is never checked against permitted domains or patterns, an attacker can inject arbitrary paths and gain unauthorised access.
Why this matters for self-hosted AI
Starlette is not an edge-case dependency — it is the backbone of the modern Python AI stack:
- **FastAPI** — the most popular Python web framework for AI APIs, used in countless self-hosted setups
- **vLLM** — the go-to inference engine for running large language models locally
- **LiteLLM** — the unified API proxy that connects to hundreds of model providers
- **FastLLM** — lightweight LLM serving
Because Starlette is the implementation of the ASGI (Asynchronous Server Gateway Interface), any tool that connects AI agents to external services via the **Model Context Protocol (MCP)** is also potentially exposed. The article from Ars Technica reports that millions of AI agents and tools worldwide are affected, with X41 describing the vulnerability as trivial to exploit.
Who is affected
Any service running **Starlette >= 0.8.3 and < 1.0.1** is vulnerable. Given that Starlette receives over **325 million downloads per week**, the blast radius is enormous. If you run any of the following in your self-hosted AI stack, you should check your dependency tree immediately:
- A FastAPI-based API server
- A vLLM inference endpoint exposed to a network
- A LiteLLM proxy
- Any Python ASGI application using Starlette
- Any MCP server that uses Starlette as its transport layer
How to fix it
The fix was released in **Starlette 1.0.1** on the encode/starlette repository. The latest version as of this writing is **1.2.0** (released May 28, 2026), which includes the security fix plus additional improvements.
Update your dependencies
If you use pip:
```bash
pip install --upgrade starlette
```
If you use uv:
```bash
uv pip install --upgrade starlette
```
If you use a requirements.txt or pyproject.toml, pin `starlette>=1.0.1`.
Verify your version
```bash
pip show starlette | grep Version
```
You should see **1.0.1** or later.
Check your other services
Because Starlette is a transitive dependency of FastAPI, vLLM, and LiteLLM, you need to check each project:
- **FastAPI**: Update FastAPI, which will pull in the patched Starlette. `pip install --upgrade fastapi`
- **vLLM**: Update your vLLM installation. Check the vLLM release notes for the minimum Starlette requirement.
- **LiteLLM**: Update LiteLLM, which will bring in the patched dependency.
Run a full vulnerability scan of your Python environments:
```bash
pip-audit
```
Mitigation if you cannot patch
If you cannot immediately update Starlette, you can apply a workaround by adding a middleware that validates the Host header before it reaches any authentication logic:
```python
from starlette.middleware.base import BaseHTTPMiddleware
from starlette.requests import Request
ALLOWED_HOSTS = {"your-domain.com", "localhost", "127.0.0.1"}
class HostHeaderValidationMiddleware(BaseHTTPMiddleware):
async def dispatch(self, request: Request, call_next):
host = request.headers.get("host", "").split(":")[0]
if host not in ALLOWED_HOSTS:
from starlette.responses import PlainTextResponse
return PlainTextResponse("Invalid Host", status_code=400)
return await call_next(request)
```
Add the middleware to your app and restart.
The bigger picture
This vulnerability highlights a recurring challenge in self-hosted AI infrastructure: the open source supply chain is complex, and a single unvalidated header in a foundational library can expose thousands of services. As AI agents become more autonomous and are granted access to credentials, databases, and third-party APIs, the security of the transport layer becomes critical.
For a broader look at securing your self-hosted AI stack, see Harden Docker Compose Stacks for Local AI Services and TLS Hardening Checklist for Caddy on a Self-Hosted AI Server.
Source
- X41-2026-002: Request Host Header not Validated in Starlette (X41 D-Sec, published 2026-05-22)
- Ars Technica: Millions of AI agents imperiled by critical vulnerability (Dan Goodin, 2026-05-26)
- Starlette GitHub — patch in v1.0.1+
