Key Points
- BadHost (CVE-2026-48710) is a vulnerability in Starlette, a Python framework with 325 million weekly downloads.
- It allows attackers to bypass path-based authorization by injecting a single character into the HTTP Host header.
- Affected tools include FastAPI, vLLM, LiteLLM, and most MCP servers that store credentials for AI agents.
- The bug carries a severity rating of 7/10, but researchers say this "materially understates" the real danger.
- A fix was released in Starlette version 1.0.1 on Friday, but millions of servers remain unpatched.
Why It Matters
This isn't just another software bug — it's a backdoor into the nervous system of modern AI. MCP servers hold the keys to user databases, email accounts, and calendars, all stored as credentials for AI agents to access. Hackers who exploit BadHost can waltz right in and grab those keys without breaking a sweat. The vulnerability is so trivial that a single character injection is all it takes. With 325 million weekly downloads, Starlette is everywhere, and that means millions of AI agents are sitting ducks right now.
