Millions of AI agents imperiled by critical vulnerability in open source package
A critical vulnerability, dubbed BadHost, has been discovered in Starlette, an open-source framework used by millions of AI agents and tools. This flaw can lead to unauthorized access, data theft, and even remote code execution on affected servers. Urgent updates and scans are recommended to mitigate the risk.
Millions of AI agents and tools globally are at risk due to a critical vulnerability in Starlette, a widely used open-source framework. This flaw, dubbed "BadHost" (CVE-2026-48710), allows attackers to breach servers, steal sensitive data, and acquire credentials for third-party accounts. Starlette is integral to many Python AI applications, including FastAPI, vLLM, and LiteLLM. Some estimates suggest Starlette is downloaded 325 million times per week, amplifying the potential impact.
The vulnerability stems from Starlette's handling of HTTP Host headers. It accepts invalid values, leading authenticating applications that use Starlette’s request.url object to approve unauthorized access requests. This inconsistent interpretation can bypass authentication, cause server-side request forgery (SSRF), and, in some cases, enable remote code execution.
Security researchers at X41 D-Sec, who discovered the vulnerability, along with Secwest, emphasize that BadHost is trivial to exploit. Despite a severity rating of 7 out of 10, experts believe it significantly understates the actual threat. The issue affects Starlette versions prior to 1.0.1, released recently.
Since Starlette forms the foundation for popular frameworks like FastAPI, and many AI tools rely on it for accessing external resources, the scope of affected systems is vast. Model Context Protocol (MCP) servers, which store credentials for various external systems like user databases and email accounts, are particularly vulnerable.
Given the widespread use of vulnerable Starlette versions, it is crucial for administrators of systems depending on Starlette, especially those using FastAPI, vLLM, and LiteLLM, to take immediate action. X41 D-Sec, in partnership with Nemesis, has developed an online scanner to identify vulnerable servers. Regular scans and prompt updates to Starlette version 1.0.1 or later are essential for mitigating this critical security risk.
Related articles
Build real agentic apps using CUGA: two dozen working examples on a lightweight harness
CUGA, IBM's open-source Agent Harness, simplifies building agentic applications by handling infrastructure, allowing developers to focus on tools and prompts. It offers pre-assembled components for planning, execution, and state management, significantly reducing development time. CUGA has topped agent benchmarks like AppWorld and WebArena.
OpenAI launches new initiative to help find and patch open source bugs
OpenAI has launched "Patch the Planet," a new initiative in partnership with cybersecurity firm Trail of Bits, to enhance the security of open-source projects. This program aims to assist maintainers in identifying and patching bugs, utilizing OpenAI's AI-powered security tools while reducing the burden on project teams.
PP-OCRv6 on Hugging Face: 50-Language OCR from 1.5M to 34.5M Parameters
Baidu has released PP-OCRv6, an advanced optical character recognition (OCR) model supporting 50 languages. Available on Hugging Face, this version significantly improves accuracy and efficiency across various parameter sizes, from 1.5 million to 34.5 million, marking a substantial leap in multilingual OCR technology.