CVE-2026-48710

Name of the Vulnerable Software and Affected Versions Starlette versions prior to 1.0.1

Description Starlette fails to validate the HTTP Host request header before using it to reconstruct request.url. Because the routing algorithm uses the raw HTTP path while request.url is rebuilt from the Host header, a malformed header can cause request.url.path to differ from the actual requested path. This inconsistency allows attackers to inject paths into the host part, potentially bypassing security restrictions or authentication in middleware and endpoints that rely on request.url instead of the raw scope path. This issue affects the AI infrastructure stack, including FastAPI, vLLM, LiteLLM, and MCP servers.

Recommendations Upgrade to version 1.0.1 or later.