Critical Starlette flaw exposes millions of AI agents to credential theft

A critical security vulnerability identified as CVE-2026-48710, dubbed BadHost, has been discovered in Starlette, an open-source Python framework that records 325 million weekly downloads. The flaw allows attackers to bypass path-based authentication and potentially execute remote code by injecting characters into the HTTP Host header. Because Starlette serves as the foundational layer for widely used frameworks such as FastAPI, vLLM, and LiteLLM, millions of AI agents and tools are at risk of having sensitive data and credentials stolen.

The vulnerability affects all Starlette versions prior to 1.0.1, which was released on Friday. The bug was originally discovered within the vLLM framework by security researchers from X41 D-Sec and Secwest. According to researchers, a single character injected into the HTTP Host header can bypass path-based authorization in Starlette, the routing core of FastAPI. This primitive then reaches a large segment of the Python AI tooling ecosystem, including Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs.

Starlette is an implementation of the ASGI (asynchronous server gateway interface), which allows large numbers of requests to be processed simultaneously. It underpins servers running the MCP (model context protocol), which allows AI agents to access external sources such as user databases, email, and calendar accounts. To connect with these external systems, MCP servers store credentials for each one, making them especially valuable targets for attackers. The technical root cause lies in Starlette’s failure to validate the Host header value when reconstructing the requested URL, leading to an inconsistent interpretation between the actual HTTP path and the reconstructed URL path used for authentication.

Disagreement exists regarding the severity of the threat. Secwest has rated the vulnerability at 7 out of 10, arguing that this classification materially understates the risk to applications depending on Starlette. In contrast, X41 D-Sec describes the flaw as having critical severity. X41 D-Sec researcher Markus Vervier noted that scans have revealed exposed data types on affected servers, though specific categories were not detailed. The firm has partnered with security firm Nemesis to create an online scanner to check if servers are vulnerable.

The developer of Starlette did not immediately reply to an email seeking confirmation of the assessment. With vulnerable versions of Starlette still widely used in production systems, experts advise that users relying on any application that depends on Starlette should run the scanner on their systems to detect whether vulnerable code is still in use. Additional mitigation guidance is available through the links provided by Nemesis and X41 D-Sec.