Starlette bug could expose AI agent servers and stored credentials

In short: Security researchers say a flaw in the Starlette web software can let attackers break into many AI-related servers and steal sensitive data.

What happened

A newly disclosed security issue, tracked as CVE-2026-48710 and nicknamed “BadHost,” affects Starlette, a widely used open source software component for running web services in Python. Starlette’s developer says it gets about 325 million downloads per week. Many other tools depend on it, including FastAPI, vLLM, and LiteLLM.

Researchers say the bug is easy to exploit on servers that are not protected by a properly set up firewall. The problem involves the “Host header,” which is a small piece of internet traffic that tells a server which site a request is meant for. In this case, adding a single character can confuse how Starlette rebuilds a web address, which can cause some apps to approve requests they should block (like a bouncer checking the wrong name on a list).

The researchers warn the risk is especially high for servers connected to MCP, short for Model Context Protocol, which helps AI agents connect to outside services like email, calendars, and databases. To do that, MCP servers often store login keys and passwords for those services.

Starlette version 1.0.1, released Friday, fixes the issue. Security firms X41 D-Sec and Nemesis also published an online scanner that checks whether a server is vulnerable.

Why it matters

If a company uses AI agents that can access business tools, this flaw could expose private data and account credentials, not just the AI system itself. That can lead to stolen emails, customer records, documents, and in some cases deeper access into internal systems.

Source: Arstechnica