Summaries like this, in your inbox every morning.
Sign up free →A vulnerability tracked as CVE-2026-48710 and named BadHost affects Starlette, an open source framework that receives 325 million downloads per week, along with widely used packages including FastAPI, vLLM, and LiteLLM. A single character injected into the HTTP Host header bypasses path-based authorization.
Starlette is the base of frameworks for building services in Python apps and underpins MCP (model context protocol) servers, which allow AI agents to access external systems including user databases, email and calendar accounts. MCP servers store credentials for these systems, making them targets for attackers seeking sensitive data and third-party account credentials.
BadHost carries a severity rating of 7 out of 10 according to Secwest, though X41 D-Sec, the security firm that discovered it, described it as having critical severity. The vulnerability affects Starlette versions prior to 1.0.1, which was released Friday.
No comments yet. Be the first to share your thoughts!
Log in to join the discussion
Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.
Get Started Free5 minutes a day. The AI essentials.
200+ sources · Email / LINE / Slack
