Millions of AI agents threatened by critical weakness in the open source package

Security researchers warned that millions of artificial intelligence agents and tools around the world were threatened by a serious loophole that might allow hackers to disrupt servers that operated them and steal sensitive data and evidence from third-party accounts.

This loophole is found in Starlette, an open-source framework whose developers say that it is downloaded 325 million times a week. Thousands of other open-source projects are also vulnerable because they require Starlette to work. The framework is the implementation of ASGI (a walk-through server gateway interface), which allows for the efficient processing of a large number of requests simultaneously. Starlette, it's Fast.API and other widely used frameworks Python. Build services in applications and many others.

Easy to use. Millions of servers exposed.

ASGI and extended Starlette can access running MCPServers (model context agreements), which allow access to external resources, including user databases, e-mail and calendar accounts and various other resources, by AI agents of the main provider. To connect to these external systems, MCP servers store evidence of each system, which makes them particularly valuable to the attackers.

The loophole, CVE-2026-48710, named BadHost, is easy to use and applies to most systems not properly configured for firewalls. Extensively used packages other than FastAPI (including v)LLM And LitelLM) was also affected. BadHost affects the Starlette version before Friday.

The researcher for Secwest wrote: "The single character that injects the HTTP host header will bypass the path-based authorization in the FastAPI core of Starlette." "Through FastAPI, this original language (now found to be CVE-2026-48710 and marked BadHost) reaches a large part of the ecosystem of the Python AI tool: vLLM (where errors are found), LitELM, text generation reasoning, most of the OpenAI-shim agents, MCP servers, proxy tools, evaluation dashboards and model management UI.”

BadHost's severity rating is 7 points (10 points). Secwest states that the classification “severely underestimates” the threat it poses to users of other applications that rely on Starlette. The security company that discovered the leak X41 D-Sec described it as “very serious”. X41 D-Sec, in collaboration with the security company Nemesis, created an online scanner to check if there were any gaps in the given server.