Millions of AI agents imperiled by critical vulnerability in open source package (arstechnica.com)

A critical vulnerability, identified as CVE-2026-48710 and dubbed "BadHost," has been discovered in the Starlette open source framework, impacting millions of AI agents and tools worldwide. Starlette serves as the foundation for numerous popular Python frameworks, including FastAPI, and allows for the efficient processing of concurrent requests through its implementation of the ASGI (asynchronous server gateway interface). The vulnerability is particularly concerning because it enables hackers to exploit poorly configured servers to access sensitive data and credentials, compromising user information across various applications that rely on Starlette. The ease of exploitation—simply by injecting a character into the HTTP Host header—means that many systems using Starlette versions prior to the newly released 1.0.1 are at risk. Security experts have rated the severity of this vulnerability as a high 7 out of 10; however, it may still understate the actual threat to users of connected applications. With major frameworks such as vLLM and LiteLLM also affected, a specialized online scanner has been launched by cybersecurity firms X41 D-Sec and Nemesis to help identify vulnerable servers. The widespread impact of this vulnerability highlights the critical need for robust security measures in AI tooling environments.