STARLETTE HOST-HEADER AUTH BYPASS DISCLOSED

BadHost researchers disclosed CVE-2026-48710, impacting Starlette's host-header authentication mechanisms. The vulnerability stems from insufficient validation of Host headers, enabling attackers to forge requests that pass security checks designed to restrict access to specific domains. The flaw affects applications relying on Starlette's host-header validation for authentication and authorization decisions. Attackers exploiting this issue could bypass access controls, potentially gaining unauthorized access to protected resources or performing actions on behalf of legitimate users. Starlette maintainers have been notified and patches are expected. Users running affected versions should prioritize updates once available. As a temporary mitigation, administrators can implement additional host validation at the application or reverse-proxy level. The vulnerability highlights risks in delegating security decisions to host-header values, which remain inherently spoofable without proper cryptographic verification. Organizations using Starlette should review their authentication implementations and host-validation strategies.