Millions of artificial intelligence (AI) agents and tools worldwide have been imperiled by a critical vulnerability that could allow hackers to breach their servers and steal sensitive data. This threat arises from a flaw in Starlette, an open source framework widely used for building AI services. The vulnerability, named CVE-2026-48710 or BadHost, affects versions of Starlette prior to 1.0.1.
Starlette’s integration with the Model Context Protocol (MCP) presents a significant risk, as it stores credentials for accessing external systems such as user databases, email and calendar accounts, and other resources. The researchers from Secwest stated that a single character injected into the HTTP Host header can bypass path-based authorization in Starlette, the routing core of FastAPI. This flaw impacts numerous widely used packages including vLLM, LiteLLM, Text Generation Inference, OpenAI-shim proxies, MCP servers, and model-management UIs.
This vulnerability has a severity rating of 7 out of 10, but security firm X41 D-Sec, which discovered it, describes it as having ‘critical severity’. X41 D-Sec partnered with Nemesis to create an online scanner that can check if a given server is vulnerable. The framework, ASGI (asynchronous server gateway interface), which Starlette implements, allows large numbers of requests to be processed simultaneously, making it essential for high-demand AI applications.
The issue affects thousands of open source projects because they rely on Starlette to function. Despite its severity, the vulnerability is trivial to exploit and works against most systems that aren’t behind a properly configured firewall. Secwest warns that the classification ‘materially understates’ the threat it poses to people using other apps that depend on Starlette.
