Also known as:X41-2026-002/GHSA-86qp-5c8j-p5mr/PYSEC-2026-161 Discovered byX41 D-Secduring anOSTIF-sponsored auditScanner & automation byNemesis Automatically discovers MCP endpointsandcommon inference API paths (vLLM, LiteLLM, OpenAI-compatible). Best for scanning AI infrastructure where the exact stack is unknown. Scans generalFastAPI / Starletteapplications for CVE-2026-48710. Auto-discovers protected endpoints via/openapi.jsonschema parsing and common path patterns (admin panels, REST APIs, AI agent platforms, e-commerce, SaaS). ScansMCPservers only. Probes standard MCP endpoints (/mcp,/sse,/messagesand variants) for auth-protected JSON-RPC, then attempts Host-header bypass. Any Starlette or FastAPI application with path-based auth middleware is affected. Select a preset or specify your own paths. X-Forwarded-Host modeBy default the malicious payload is sent in theHostheader. Some proxies (CloudFlare, Nginx) reject non-standard Host values with 400. UseAlwaysto send the payload viaX-Forwarded-Hostinstead (with a validHost), orAutoto retry withX-Forwarded-Hostonly when the server returns 400. Bypass strategies Starlette < 1.0.1 buildsrequest.urlby concatenating the HTTPHostheader with the request path. An attacker can send a crafted request likeGET /protectedwith aHost: example.com/health?x=header. The request will reach the/protecedpath, butrequest.urlwould behttps://example.com/health?x=/protected, andrequest.url.pathwould return/healthinstead of the real request path. Any middleware that uses this value to decide whether to enforce authentication can be bypassed. More details can be found in theX41-2026-002advisory. Any Python application built on Starlette or FastAPI that usesstarlette < 1.0.1and usesrequest.url(orstarlette.datastructures.URL(scope=...)) in a middleware to make security decisions based on itspath(e.g. allowlists, denylists, CSRF exemptions, rate limiting, payment gates), and runs on any ASGI server (Daphne, Granian, Gunicorn, Hypercorn, Anycorn, Uvicorn). Use the scanner above, grep your codebase forrequest.url.pathin middleware files, or try the tools from theX41 open-source repository. This includes LLM inference servers like vLLM, LLM proxy servers like LiteLLM, AI agent frameworks, MCP gateways, and custom APIs. MCP servers are especially at risk because the MCP spec mandates unauthenticated OAuth discovery endpoints, providing a reliable path for exploitation This vulnerability is not specific to LLMs, but many LLM inference servers (vLLM), LLM proxy servers (LiteLLM), AI agent frameworks, and MCP gateway implementations are built on FastAPI/Starlette and use path-based auth to protect API endpoints. A bypass can expose model access, API keys, and internal tooling. Google ADK-Python, Ray Serve, and BentoML also use Starlette middleware and are potentially affected when custom auth middleware is added. Any custom MCP server, FastMCP integration, or AI agent backend using Starlette routing with auth middleware should be tested. Note: FastAPI's built-inDepends()security uses route matching, notrequest.url.path, so standard dependency-injection auth is safe — the risk is in customBaseHTTPMiddlewareor raw ASGI middleware. Yes. RFC-compliant reverse proxies (nginx, Caddy, Traefik, HAProxy) validate and reject invalidHostheaders, which neutralizes the injection. However, many deployments — especially dev, staging, and self-hosted instances — expose ASGI servers directly without a proxy. The scanner first confirms a protected endpoint denies access without credentials. Tier 1 then tests whether the middleware uses a denylist (fail-open) pattern by injecting a random path into the Host header — this catches misconfigured middleware in just a few requests. If Tier 1 fails, Tier 2 discovers known unauthenticated paths and injects those for allowlist-based (fail-closed) middleware. Raw TCP sockets are used because standard HTTP clients normalize the Host header, which would prevent the test. Anthropic's Claude Mythos found 10,000+ vulnerabilities through Project Glasswing — but not this one. The reason is structural: CVE-2026-48710 is not a bug in one file or one repo. It spans three independent layers — ASGI servers pass the raw Host header, Starlette trusts it for URL construction, and middleware authors assumerequest.url.pathis safe for auth decisions. Each component behaves correctly in isolation. The vulnerability only emerges from the interaction between them, across specifications (HTTP, ASGI, Starlette, MCP). Finding it required manual security research — understanding how these layers combine and building end-to-end exploit labs to confirm the attack. That is a fundamentally different shape of work than pointing an AI agent at a single codebase. Once the bug class was understood, measuring its real-world impact was a separate effort: writing custom CodeQL queries and scanning dependent projects at scale — Starlette alone has more than 400k dependents on GitHub. This impact assessme...