{"data":{"id":"57dbc254-b9f8-4eae-a573-8b703ea5db95","title":"FastAPI-based AI tools exposed to authentication bypass by flaw in Starlette framework","summary":"A flaw in Starlette (CVE-2026-48710), the framework that powers FastAPI, allows unauthenticated attackers to bypass authentication by sending a malformed character in a web request's Host header. The flaw tricks Starlette into parsing the request path differently than the actual server sees it, so security checks on one path may allow access to a protected route, potentially enabling SSRF (server-side request forgery, where an attacker makes the server request data from unintended locations) or even remote code execution on affected systems.","solution":"Starlette's maintainer released a patch through an official GitHub security advisory. Additionally, researchers created badhost.org, a website that can test whether applications are vulnerable to this flaw.","labels":["security"],"sourceUrl":"https://www.csoonline.com/article/4177711/fastapi-based-ai-tools-exposed-to-authentication-bypass-by-flaw-in-starlette-framework.html","publishedAt":"2026-05-27T14:46:10.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":[],"issueType":"news","affectedPackages":null,"affectedVendors":["OpenAI"],"affectedVendorsRaw":["Starlette","FastAPI","OpenAI","OpenAI-compatible proxies"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-05-27T14:46:10.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}