Critical BadHost flaw imperils millions of AI agents

Critical BadHost flaw imperils millions of AI agents — Biz & IT - Ars Technica
Source: Biz & IT - Ars Technica

Millions of AI agents and tools are at risk from a critical vulnerability in Starlette, an open source ASGI framework that its developer says is downloaded 325 million times per week. Thousands of other projects inherit the exposure because they depend on Starlette, which underpins FastAPI and many Python services.

The flaw, tracked as CVE-2026-48710 and dubbed BadHost, is trivial to exploit: a single character injected into the HTTP Host header can bypass Starlette’s path-based authorization. Because many servers expose ASGI — and thus Starlette — the issue reaches systems running the MCP model context protocol, which lets AI agents from major providers access external sources such as user databases, email and calendar accounts.

MCP servers often store credentials for connected services, making them especially valuable targets. BadHost affects Starlette versions prior to 1.0.1, which was released Friday.

starlette, badhost, cve-2026-48710, asgi, fastapi, host header, host injection, mcp protocol, ai agents, credentials