Critical BadHost vulnerability in Starlette imperils millions of AI agents

The BadHost vulnerability (CVE-2026-48710) resides in Starlette, the foundational ASGI framework powering FastAPI and dozens of other Python AI tooling packages. Discovered by X41 D-Sec and Nemesis, the flaw exploits Starlette's failure to validate the HTTP Host header. An attacker injects a single character into the Host header to alter the reconstructed URL path, tricking authentication mechanisms that rely on Starlette's request.url.path. This leads to authentication bypass, server-side request forgery (SSRF), and in some cases remote code execution. Secwest rates the severity at 7/10, but X41 D-Sec considers it critical given the ecosystem reach.

The vulnerability threatens millions of AI agents using the Model Context Protocol (MCP) to access external databases, email, calendars, and other resources. MCP servers store third-party credentials, making them prime targets. Affected packages include FastAPI, vLLM, LiteLLM, Text Generation Inference, and most OpenAI-compatible proxies. X41 D-Sec and Nemesis have released an online scanner to check server exposure. Exposed data types include clinical trial databases, identity verification PII, IoT/industrial SSH credentials, email mailbox access, HR candidate data, cloud monitoring topology, and cybersecurity asset inventories. Organizations using Starlette versions prior to 1.0.1 should update immediately and ensure proper firewall configuration.