Worrying open-source security issue 'BadHost' could affect millions of AI agents, experts warn

News
By published

The risk is "materially understated", researchers are saying

AI chatbot
(Image credit: Shutterstock)
  • Secwest discloses CVE‑2026‑48710 (“BadHost”), a high‑severity flaw in Starlette that lets attackers abuse malformed Host headers to bypass security checks and exfiltrate sensitive data
  • Starlette underpins frameworks like FastAPI and is widely deployed; researchers warn the 7/10 score understates the risk, with AI agent, biopharma, IoT, and SaaS data potentially exposed
  • The bug was patched in version 1.0.1, but vulnerable builds remain common in production, making immediate upgrades and environment scans critical

A lightweight Python web framework called Starlette carried a high-severity vulnerability which could allow malicious actors to exfiltrate sensitive data from millions of AI agents, experts have warned.

Some researchers are even suggesting current descriptions of the flaw don’t do it justice as it is one of the bigger and potentially more disruptive flaws in recent times.

Starlette is a Python web framework and tool built for creating fast web applications and APIs using the Asynchronous Server Gateway Interface (ASGI) standard. Being open source, it receives around 325 million downloads every week and is the foundation of many popular frameworks (for example, FastAPI).

Latest Videos From

BadHost fixed with a patch

The problem stems from the fact that Starlette has access to servers running the Model Context Protocol (MCP), a tool that allows AI agents to search the web or access third-party services. To be able to work properly, that tool needs to have the right permissions and needs to store the right passwords.

Security researchers Secwest found a flaw that allowed attackers to send a fake or malformed ‘Host’ header (a piece of information websites use to understand which address was requested). In some cases, Starlette would build the request URL using this fake data, causing security checks to look at the wrong path.

The bug is dubbed BadHost, and is now tracked as CVE-2026-48710. It was given a severity score of 7/10 (high) and was fixed in Starlette version 1.0.1.

For Secwest, giving BadHost a 7/10 “materially understates” the severity of the threat. It claims that at this very moment, biopharma AI data, identity verification data, IoT and industrial data, emails, SaaS data, and more, are all exposed.

While it did patch the flaw, Starlette did not comment on the findings. Ars Technica says vulnerable versions are still “widely used” in production systems, and that businesses should at least scan to see if they are among those at risk.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.