Developer

Critical Starlette bug imperils millions of AI agents

A vulnerability in the Starlette open source framework, which gets 325 million weekly downloads, puts millions of AI agents at risk. Tracked as CVE-2026-48710 and named BadHost, the flaw lets attackers bypass path-based authorization via a single character in the HTTP Host header. Affected packages include FastAPI, vLLM, and LiteLLM, and exploitation can expose sensitive data like clinical trial databases, email credentials, and cloud infrastructure details.

Neura News

Neura News

Neura Market Editorial

May 26, 20264 min read
Critical Starlette bug imperils millions of AI agents

A critical vulnerability has been discovered in Starlette, an open source Python framework that sees 325 million weekly downloads, and security researchers warn it could allow hackers to breach the servers running AI agents and make off with sensitive data and credentials.

The flaw, tracked as CVE-2026-48710 and branded BadHost, is trivial to exploit against most systems not protected by a properly configured firewall. It affects Starlette versions prior to 1.0.1, which was released on Friday.

Vulnerability reaches deep into AI tooling

Starlette is an implementation of the ASGI (asynchronous server gateway interface) that efficiently processes large numbers of requests simultaneously. It serves as the foundation for FastAPI and other widely used frameworks for building Python apps. Because so many projects require Starlette to function, thousands of other open source projects are also vulnerable.

ASGI and Starlette have access to servers running the MCP (model context protocol), which allows AI agents from major providers to access external sources including user databases, email and calendar accounts, and other resources. MCP servers store credentials for each external connection, making them especially valuable targets for attackers.

Researchers from Secwest wrote that a single character injected into the HTTP Host header bypasses path-based authorization in Starlette, the routing core of FastAPI. Through FastAPI, this primitive reaches a large segment of the Python AI tooling ecosystem: vLLM (where the bug was discovered), LiteLLM, Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs.

Potential exposure of sensitive data

BadHost carries a severity rating of 7 out of 10, but Secwest said that classification materially understates the threat to people using apps that depend on Starlette. X41 D-Sec, the security firm that discovered the bug, described it as having critical severity. X41 D-Sec partnered with Nemesis to create an online scanner that checks whether a given server is vulnerable.

Markus Vervier, a researcher at X41 D-Sec, said a scan revealed the following types of data are currently exposed:

Stay updated

Get the day's AI and automation news in your inbox. No spam, unsubscribe anytime.

  • Biopharma AI: clinical trial databases, M&A data, SSRF
  • Identity Verification: face analysis, KYB, live PII, internal codebase
  • IoT/Industrial: SSH to devices via bastion, remote code execution
  • Email/SaaS: full mailbox read/send/delete, S3 export, webhooks
  • HR/Recruitment: candidate PII, hiring pipeline data
  • CMS/Marketing: subscriber lists, send/schedule mass email campaigns
  • Document Management: read, upload, modify scanned documents
  • Cloud Monitoring: AWS topology, distributed traces, metric queries
  • Cybersecurity: asset inventory, live Nuclei scanner access
  • Personal Health/Finance: nutrition logs, expenses, subscriptions

How the exploit works

The crux of the vulnerability is that Starlette accepts invalid host header values. This causes authenticating apps that use Starlette's request.url object to approve unauthorized access requests. X41 D-Sec said it found authentication in multiple apps that rely on this call to be bypassed. Besides authentication bypass, hacks can lead to SSRF (server-side request forgery) exploits and, in some cases, remote code execution.

X41 D-Sec explained that Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actual request path. This inconsistent interpretation of HTTP requests leads to issues such as authentication bypass when authentication depends on the reconstructed URL's path.

Company researchers added that the routing algorithm depends on the HTTP path, but the request.url.path attribute made available to middlewares and endpoints is based on the reconstructed URL. It is unexpected for users that request.url.path differs from the actual path requested over HTTP.

The developer of Starlette did not immediately reply to an email seeking confirmation and additional information.

Mitigation advice

With vulnerable versions of Starlette still widely used in production systems, people relying on any app that depends on Starlette, particularly FastLLM, vLLM, and LiteLLM, should at a minimum run the scanner on their systems to detect whether vulnerable Starlette code is still in use. Additional mitigation guidance is provided in the Nemesis and X41 D-Sec links above.

Related on Neura Market

More from Neura News