Millions of AI agents and tools around the world have been imperiled by a critical vulnerability that can allow hackers to breach the servers running them and make off with sensitive data and credentials to third-party accounts, a security researcher is warning.

The vulnerability is present in Starlette, an open source framework that its developer says receives 325 million downloads per week. Thousands of other open source projects are also vulnerable because they require Starlette to work. The framework is an implementation of the ASGI (asynchronous server gateway interface), which allows large numbers of requests to be efficiently processed simultaneously. Starlette is the base of FastAPI and other widely used frameworks for building services in Python apps, as well as many others.

Trivial to exploit, millions of servers exposed

ASGI, and by extension Starlette, have access to servers running the MCP (model context protocol), which allows AI agents from major providers to access external sources, including user data bases, email and calendar accounts, and all manner of other resources. To connect with these external systems, MCP servers store credentials for each one, making them especially valuable storehouses for attackers to breach.

The vulnerability, tracked as CVE-2026-48710 and under the name BadHost, is trivial to exploit and works against most systems that aren’t behind a properly configured firewall. Besides FastAPI, other widely used packages—including vLLM, and LiteLLM—are also affected. BadHost affects Starlette versions prior to 1.0.1, which was released Friday.

“A single character injected into the HTTP Host header bypasses path-based authorization in Starlette, the routing core of FastAPI,” researchers from Secwest wrote. “Through FastAPI, this primitive (now tracked as CVE-2026-48710 and branded BadHost by the discoverers) reaches a large segment of the Python AI tooling ecosystem: vLLM (where the bug was discovered), LiteLLM, Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs.”

BadHost carries a severity rating of 7 out of 10. Secwest said the classification “materially understates” the threat it poses to people using other apps that depend on Starlette. X41 D-Sec, the security firm that discovered it, described it as having “critical severity.” X41 D-Sec partnered with fellow security firm Nemesis to create an online scanner that can check if a given server is vulnerable.