BadHost Vulnerability in Starlette Framework Puts Millions of AI Agents at Critical Risk

Millions of AI agents imperiled by critical vulnerability in open source package

Millions of AI agents and tools around the world have been imperiled by a critical vulnerability that can allow hackers to breach the servers running them and make off with sensitive data and credentials to third-party accounts, a security researcher is warning. The vulnerability is present in Starlette, an open source framework that its developer says receives 325 million downloads per week. Thousands of other open source projects are also vulnerable because they require Starlette to work. The framework is an implementation of the ASGI (asynchronous server gateway interface), which allows large numbers of requests to be efficiently processed simultaneously. Starlette is the base of FastAPI and other widely used frameworks for building services in Python apps, as well as many others. Trivial to exploit, millions of servers exposed ASGI, and by extension Starlette, have access to servers running the MCP (model context protocol), which allows AI agents from major providers to access external sources, including user data bases, email and calendar accounts, and all manner of other resources. To connect with these external systems, MCP servers store credentials for each one, making them especially valuable storehouses for attackers to breach. The vulnerability, tracked as CVE-2026-48710 and under the name BadHost, is trivial to exploit and works against most systems that aren't behind a properly configured firewall. Besides FastAPI, other widely used packages -- including vLLM, and LiteLLM -- are also affected. BadHost affects Starlette versions prior to 1.0.1, which was released Friday. "A single character injected into the HTTP Host header bypasses path-based authorization in Starlette, the routing core of FastAPI," researchers from Secwest wrote. "Through FastAPI, this primitive (now tracked as CVE-2026-48710 and branded BadHost by the discoverers) reaches a large segment of the Python AI tooling ecosystem: vLLM (where the bug was discovered), LiteLLM, Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs." BadHost carries a severity rating of 7 out of a scale of 1 to 10. Secwest said the classification "materially understates" the threat it poses to people using other apps that depend on Starlette. X41 D-Sec, the security firm that discovered it, described it as having "critical severity." X41 D-Sec partnered with fellow security firm Nemesis to create an online scanner that can check if a given server is vulnerable. X41 D-Sec researcher Markus Vervier said a scan has revealed the following types of data are currently exposed: * Biopharma AI - clinical trial DBs, M&A data, SSRF * Identity Verification - face analysis, KYB, live PII, internal codebase * IoT/Industrial - SSH to devices via bastion, remote code execution * Email/SaaS - full mailbox read/send/delete, S3 export, webhooks * HR/Recruitment - candidate PII, hiring pipeline data * CMS/Marketing - subscriber lists, send/schedule mass email campaigns * Document Management - read, upload, modify scanned documents * Cloud Monitoring - AWS topology, distributed traces, metric queries * Cybersecurity - asset inventory, live Nuclei scanner access * Personal Health/Finance - nutrition logs, expenses, subscriptions The crux of the vulnerability is that Starlette accepts invalid host header values that cause authenticating apps that use Starlette's request.url object to approve unauthorized access requests. X41 D-Sec said it has found authentication in multiple apps that rely on this call to be bypassed. Besides that, hacks can lead to SSRF (server-side request forgery) exploits and, in some cases, remote code execution. X41 D-Sec described it this way: Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actual request path. This inconsistent interpretation of HTTP requests may lead to issues such as authentication bypass when the authentication depends on the reconstructed URL's path. Starlette is the foundation of the FastAPI Python framework. Company researchers added: "The routing algorithm of Starlette depends on the HTTP path, but the request.url.path attribute which is made available to middlewares and endpoints is based on the reconstructed URL. It is unexpected for users that request.url.path is different from the actual path requested over HTTP." The developer of Starlette didn't immediately reply to an email seeking confirmation of the assessment and additional information. With vulnerable versions of Starlette still widely used in production systems, people relying on any app that depends on Starlette -- particularly, FastLLM, vLLM, and LiteLLM -- should at a minimum run the scanner on their systems to detect if vulnerable Starlette code is still in use there. Additional mitigation guidance is provided in the Nemesis and X41 D-Sec links above.

Worrying open-source security issue 'BadHost' could affect millions of AI agents, experts warn

* Secwest discloses CVE‑2026‑48710 ("BadHost"), a high‑severity flaw in Starlette that lets attackers abuse malformed Host headers to bypass security checks and exfiltrate sensitive data * Starlette underpins frameworks like FastAPI and is widely deployed; researchers warn the 7/10 score understates the risk, with AI agent, biopharma, IoT, and SaaS data potentially exposed * The bug was patched in version 1.0.1, but vulnerable builds remain common in production, making immediate upgrades and environment scans critical A lightweight Python web framework called Starlette carried a high-severity vulnerability which could allow malicious actors to exfiltrate sensitive data from millions of AI agents, experts have warned. Some researchers are even suggesting current descriptions of the flaw don't do it justice as it is one of the bigger and potentially more disruptive flaws in recent times. Starlette is a Python web framework and tool built for creating fast web applications and APIs using the Asynchronous Server Gateway Interface (ASGI) standard. Being open source, it receives around 325 million downloads every week and is the foundation of many popular frameworks (for example, FastAPI). BadHost fixed with a patch The problem stems from the fact that Starlette has access to servers running the Model Context Protocol (MCP), a tool that allows AI agents to search the web or access third-party services. To be able to work properly, that tool needs to have the right permissions and needs to store the right passwords. Security researchers Secwest found a flaw that allowed attackers to send a fake or malformed 'Host' header (a piece of information websites use to understand which address was requested). In some cases, Starlette would build the request URL using this fake data, causing security checks to look at the wrong path. The bug is dubbed BadHost, and is now tracked as CVE-2026-48710. It was given a severity score of 7/10 (high) and was fixed in Starlette version 1.0.1. For Secwest, giving BadHost a 7/10 "materially understates" the severity of the threat. It claims that at this very moment, biopharma AI data, identity verification data, IoT and industrial data, emails, SaaS data, and more, are all exposed. While it did patch the flaw, Starlette did not comment on the findings. Ars Technica says vulnerable versions are still "widely used" in production systems, and that businesses should at least scan to see if they are among those at risk. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.