Any Python application built on Starlette or FastAPI that uses starlette < 1.0.1 and uses request.url (or starlette.datastructures.URL(scope=...)) in a middleware to make security decisions based on its path (e.g. allowlists, denylists, CSRF exemptions, rate limiting, payment gates), and runs on any ASGI server (Daphne, Granian, Gunicorn, Hypercorn, Anycorn, Uvicorn). Use the scanner above, grep your codebase for request.url.path in middleware files, or try the tools from the X41 open-source repository. This includes LLM inference servers like vLLM, LLM proxy servers like LiteLLM, AI agent frameworks, MCP gateways, and custom APIs. MCP servers are especially at risk because the MCP spec mandates unauthenticated OAuth discovery endpoints, providing a reliable path for exploitation
First seen: 2026-05-27 07:45
Last seen: 2026-05-27 16:55