Critical Starlette flaw threatens Python AI tooling ecosystem
A critical vulnerability named BadHost (CVE-2026-48710) in Starlette (versions before 1.0.1) can bypass host-header authentication, enabling SSRF and potential remote code execution; it endangers millions of servers and AI tooling that rely on Starlette via FastAPI, including vLLM, LiteLLM, and Text Generation Inference, given Starlette’s ~325 million weekly downloads. Security researchers from X41 D-Sec and Nemesis warn the flaw is widespread, with a scanner available to detect exposed systems. Users should upgrade Starlette and apply recommended mitigations.