Millions of AI agents imperiled by critical vulnerability in open source package

A significant security vulnerability has put millions of AI agents and tools globally at risk, potentially allowing hackers to infiltrate the servers that operate them and steal sensitive data and third-party account credentials, according to a warning from a security researcher. This flaw exists in Starlette, a popular open-source framework that boasts an impressive 325 million downloads each week. The repercussions extend beyond Starlette itself, as numerous other open-source projects are also at risk since they rely on this framework. Starlette serves as an implementation of the ASGI (asynchronous server gateway interface), an architecture designed for handling large volumes of requests efficiently. Starlette underpins FastAPI and various widely adopted frameworks for developing services in Python applications, alongside many others. The ASGI framework, along with Starlette, has access to servers that run the MCP (model context protocol), enabling AI agents from major providers to connect with external resources, including user databases, email accounts, and calendars. These MCP servers act as vaults for storing credentials, making them particularly appealing targets for cybercriminals. The vulnerability, identified as CVE-2026-48710 and dubbed BadHost, is alarmingly easy to exploit, especially on systems lacking proper firewall configurations. This issue affects not only FastAPI but also other popular packages like vLLM and LiteLLM. Specifically, BadHost impacts Starlette versions prior to 1.0.1, which was released recently. Researchers from Secwest noted, "A single character injected into the HTTP Host header bypasses path-based authorization in Starlette, the routing core of FastAPI." They added that this vulnerability, now tracked as CVE-2026-48710 and branded as BadHost by its discoverers, threatens a substantial portion of the Python AI tooling ecosystem, including vLLM, LiteLLM, Text Generation Inference, various OpenAI-shim proxies, MCP servers, agent harnesses, evaluation dashboards, and model-management user interfaces. BadHost has been assigned a severity rating of 7 on a scale of 1 to 10. Secwest suggests that this rating significantly underrepresents the danger it poses to users of other applications reliant on Starlette. X41 D-Sec, the firm that uncovered the vulnerability, categorized it as critical and collaborated with Nemesis, another security firm, to develop an online scanner to help check if specific servers are vulnerable.