May 27, 2026 11:04:00

A vulnerability in the open-source package 'Starlette,' which is downloaded more than 300 million times a week, has put millions of AI agents at risk.

Security researcher Markus Vervier warns that Starlette , an open-source framework used by millions of AI agents and tools worldwide, has a critical vulnerability.

Millions of AI agents imperiled by critical vulnerability in open source package - Ars Technica

https://arstechnica.com/information-technology/2026/05/millions-of-ai-agents-imperiled-by-critical-vulnerability-in-open-source-package/

Starlette is an open-source framework downloaded over 325 million times a week, and it's also an ASGI (Asynchronous Server Gateway Interface) that can efficiently handle a large number of requests simultaneously. Starlette is the foundation for many widely used frameworks for building services in Python applications, including FastAPI , and is used by many other frameworks as well.

Starlette has access to servers running MCP . MCP is a protocol that allows major providers' AI agents to access external sources, including user databases, email and calendar accounts, and all kinds of other resources. To connect to these external systems, each MCP server stores authentication credentials. Therefore, MCP servers are highly valuable targets for attackers.

The vulnerability found in Starlette, ' CVE-2026-48710 ' (also known as BadHost), is very easy to exploit and is effective against most systems that are not behind a properly configured firewall. In addition to FastAPI, other widely used packages such as vLLM and LiteLLM are also affected. Starlette has already released version 1.0.1, which addresses BadHost.

Security firm X41 D-Sec, which discovered BadHost, states that 'simply inserting a single character into the HTTP

Host header allows you to bypass path-based authentication in Starlette, FastAPI's routing core.' They point out that 'through FastAPI, this primitive (CVE-2026-48710) affects a large portion of the Python AI tools ecosystem, including vLLM (where the bug was discovered), LiteLLM, Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, evaluation dashboards, and model management UIs.'

BadHost is rated a severity of 7 out of 10, but Secwest states that 'this rating significantly underestimates the threat to users who use other apps that depend on Starlette.' X41 D-Sec also described BadHost as 'extremely severe.'

X41 D-Sec has released an online scanner that identifies servers potentially affected by BadHost, and points out that the following types of data may actually be stolen:

• Biopharmaceutical AI: Clinical trial database, M&A data, SSRF
- Identity verification: facial analysis, KYB, live PII, internal codebase
• IoT/Industrial Equipment: SSH connection to devices via bastion, remote code execution
• Email/SaaS: Read/send/delete mailboxes, export to S3, Webhooks
・Human Resources/Recruitment: Candidate personal information, recruitment pipeline data
• CMS/Marketing: Subscriber list, bulk email campaign sending/scheduling
Document management: View, upload, and modify scanned documents.
Cloud monitoring: AWS topology, distributed tracing, metric queries
• Cybersecurity: Asset inventory, live nuclear scanner access
• Personal health/financial data: nutrition records, spending, subscription information

X41 D-Sec pointed out that BadHost 'Starlette's routing algorithm relies on the HTTP path, but the request.url.path attribute provided to middleware and endpoints is based on the reconstructed URL. It is unexpected for the user when request.url.path differs from the path actually requested over HTTP.'

Because vulnerable versions of Starlette are still widely used on production systems, users with applications that rely on Starlette (especially FastLLM, vLLM, and LiteLLM) should at least run a scanner on their systems to detect if any vulnerable code is still being used.