Worrying open source security issue ‘BadHost’ could affect millions of AI agents, experts warn

Secwest discloses CVE-2026-48710 (“BadHost”), a high-severity flaw in Starlette that lets attackers abuse malformed Host headers to bypass security checks and exfiltrate sensitive data
Starlette supports frameworks like FastAPI and is widely used; researchers warn 7/10 score underestimates risk, with AI agent, biopharma, IoT and SaaS data potentially exposed
The bug was fixed in version 1.0.1, but vulnerable builds are still common in production, making immediate upgrades and environmental scans critical

A lightweight Python web framework called Starlette carried a high-severity vulnerability that could allow malicious actors to exfiltrate sensitive data from millions of AI agents, experts have warned.

Some researchers even suggest that current descriptions of the fault do not do it justice, as it is one of the larger and potentially more disruptive faults of recent times.

Starlette is a Python web framework and tool built for creating fast web applications and APIs using the Asynchronous Server Gateway Interface (ASGI) standard. Being open source, it receives around 325 million downloads every week and is the basis of many popular frameworks (for example FastAPI).

BadHost fixed with a patch

The problem stems from the fact that Starlette has access to servers running the Model Context Protocol (MCP), a tool that allows AI agents to search the web or access third-party services. In order to function properly, that tool must have the correct permissions and must store the correct passwords.

Security researchers Secwest found a flaw that allowed attackers to send a fake or malformed “Host” header (a piece of information that websites use to understand what address was requested). In some cases, Starlette would build the request URL using this fake data, causing security checks to look at the wrong path.

The bug has been dubbed BadHost and is now tracked as CVE-2026-48710. It was given a severity rating of 7/10 (high) and was fixed in Starlette version 1.0.1.

For Secwest, giving BadHost a 7/10 “significantly underestimates” the seriousness of the threat. It claims that at this moment, biopharma AI data, identity verification data, IoT and industrial data, emails, SaaS data and more are all exposed.

While it patched the bug, Starlette did not comment on the results. Ars Technica says that vulnerable versions are still “widespread” in production systems and that companies should at least scan to see if they are among those at risk.