CVEAIFastAPIauthentication bypass
CVE-2026-48710 (BadHost): One Character Breaks Your Entire AI Stack
A single slash in the HTTP Host header bypasses authentication on FastAPI, vLLM, MCP servers, and basically every Python AI service. 325 million downloads per week affected.
May 26, 2026