- Secwest discloses CVE‑2026‑48710 (“BadHost”), a high‑severity flaw in Starlette that lets attackers abuse malformed Host headers to bypass security checks and exfiltrate sensitive data
- Starlette underpins frameworks like FastAPI and is widely deployed; researchers warn the 7/10 score understates the risk, with AI agent, biopharma, IoT, and SaaS data potentially exposed
- The bug was patched in version 1.0.1, but vulnerable builds remain common in production, making immediate upgrades and environment scans critical
A lightweight Python web framework called Starlette carried a high-severity vulnerability which could allow malicious actors to exfiltrate sensitive data from millions of AI agents, experts have warned.
Some researchers are even suggesting current descriptions of the flaw don’t do it justice as it is one of the bigger and potentially more disruptive flaws in recent times.
Starlette is a Python web framework and tool built for creating fast web applications and APIs using the Asynchronous Server Gateway Interface (ASGI) standard. Being open source, it receives around 325 million downloads every week and is the foundation of many popular frameworks (for example, FastAPI).
BadHost fixed with a patch
The problem stems from the fact that Starlette has access to servers running the Model Context Protocol (MCP), a tool that allows AI agents to search the web or access third-party services. To be able to work properly, that tool needs to have the right permissions and needs to store the right passwords.
Security researchers Secwest found a flaw that allowed attackers to send a fake or malformed ‘Host’ header (a piece of information websites use to understand which address was requested). In some cases, Starlette would build the request URL using this fake data, causing security checks to look at the wrong path.
The bug is dubbed BadHost, and is now tracked as CVE-2026-48710. It was given a severity score of 7/10 (high) and was fixed in Starlette version 1.0.1.
For Secwest, giving BadHost a 7/10 “materially understates” the severity of the threat. It claims that at this very moment, biopharma AI data, identity verification data, IoT and industrial data, emails, SaaS data, and more, are all exposed.
While it did patch the flaw, Starlette did not comment on the findings. Ars Technica says vulnerable versions are still “widely used” in production systems, and that businesses should at least scan to see if they are among those at risk.
