- Secwest discloses CVE‑2026‑48710 (“BadHost”), a high severity flaw in Starlette that allows attackers to abuse malformed Host headers to bypass security controls and exfiltrate sensitive data.
- Starlette supports frameworks like FastAPI and is widely deployed; researchers warn that the score of 7/10 underestimates the risk, with data from AI agents, biopharmaceuticals, IoT and SaaS potentially exposed.
- The bug was fixed in version 1.0.1, but vulnerable versions remain common in production, making immediate upgrades and environmental scans critical.
A lightweight Python web framework called Starlette contained a high-severity vulnerability that could allow malicious actors to exfiltrate sensitive data from millions of AI agents, experts have warned.
Some researchers even suggest that current descriptions of the fault don’t do it justice, as it is one of the largest and potentially most disruptive faults in recent times.
Starlette is a Python web framework and tool designed to build fast web applications and APIs using the Asynchronous Server Gateway Interface (ASGI) standard. Being open source, it receives around 325 million downloads every week and forms the basis of many popular frameworks (e.g. FastAPI).
BadHost fixed with a patch
The problem arises because Starlette has access to servers running Model Context Protocol (MCP), a tool that allows AI agents to search the web or access third-party services. To function properly, this tool must have the appropriate permissions and must store the correct passwords.
Security researchers Secwest discovered a flaw that allowed attackers to send a false or malformed “Host” header (information used by websites to understand which address was requested). In some cases, Starlette would construct the request URL using this fake data, causing security checks to look for the wrong path.
The bug is dubbed BadHost and is now tracked as CVE-2026-48710. It received a severity score of 7/10 (high) and was fixed in Starlette version 1.0.1.
For Secwest, giving BadHost a rating of 7/10 “significantly underestimates” the severity of the threat. He claims that right now, biopharmaceutical AI data, identity verification data, IoT and industrial data, emails, SaaS data, etc., are all exposed.
Although she fixed the flaw, Starlette has not commented on the results. Ars Technica claims that vulnerable versions are still “widely used” in production systems and that companies should at least scan them to see if they are among those at risk.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
