Millions of AI agents imperiled by critical vulnerability in open source package

A critical security flaw in Starlette, an open-source framework used by millions of AI tools, has left systems vulnerable to attacks that could expose sensitive data. The vulnerability, named BadHost and tracked as CVE-2026-48710, allows attackers to bypass path-based authorization by injecting a single character into the HTTP Host header. Starlette, which processes 325 million downloads weekly, serves as the foundation for frameworks like FastAPI and supports AI agents accessing external resources such as user databases, emails, and calendars through the MCP (model context protocol). The flaw affects Starlette versions prior to 1.0.1, released Friday, and extends to other widely used AI packages, including vLLM, LiteLLM, and OpenAI-shim proxies. Researchers from Secwest and X41 D-Sec describe the vulnerability as trivial to exploit, with critical severity, though it carries a CVSS rating of 7. The vulnerability impacts MCP servers, agent harnesses, and model-management interfaces, making them prime targets for credential theft. X41 D-Sec partnered with Nemesis to create an online scanner that checks for vulnerable servers. The flaw highlights broader risks in Python-based AI tooling, where dependencies on Starlette create cascading vulnerabilities. Researchers warn that the severity rating understates the threat, as many systems remain exposed without proper firewall configurations. The discovery underscores the growing need for robust security in AI infrastructure, where open-source frameworks underpin critical services. Organizations using affected packages are advised to update to Starlette 1.0.1 or later and review their firewall settings to mitigate risks.