Critical "BadHost" Flaw Hits Starlette, Endangers Millions of AI Services

Security researchers have uncovered a severe vulnerability, dubbed BadHost (CVE-2026-48710), in the Starlette web framework that powers FastAPI and dozens of AI‑related Python packages. The flaw allows a malicious HTTP Host header to bypass path‑based authorization, giving attackers access to servers that store valuable credentials for AI agents. Starlette versions before 1.0.1 are vulnerable, and the issue affects an estimated 325 million weekly downloads. The fix arrived Friday, and a joint scanner from X41 D‑Sec and Nemesis now lets operators test their deployments. Weiterlesen