DigiNews

Summary

This article presents CVE-2026-48710, aka BadHost, a critical vulnerability in Starlette < 1.0.1 where the Host header is used to build request.url without proper sanitization. It explains how attackers can forge request.url.path to bypass path-based authentication, outlines affected AI infrastructure (including vLLM, LiteLLM, MCP servers, and AI agent frameworks), and details scanning tools and remediation steps. The piece also discusses the multi-layer nature of the flaw and why it required end-to-end security research to uncover.