数百万 AI 代理因开源软件包漏洞面临危险

Millions of AI agents imperiled by critical vulnerability in open source package - Ars Technica

Manage your consent preferences

If you are a resident of Colorado, Connecticut, Virginia, Utah, Oregon, Texas, Montana, Delaware, Iowa, Nebraska, New Hampshire, and New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, or Rhode Island you have the right to opt-out of Targeted Advertising, including our “sale” and/or “sharing” of your Personal Information (“Opt-Out”). We and our third-party business partners use Personal Information in accordance with our Privacy Policy to serve advertising believed to be of interest to you (“Targeted Advertising”). If you are a California resident, you also have the right to limit the use and disclosure of your Sensitive Personal information in particular circumstances. Please note that you may need to Opt-Out on each website, mobile app, browser, and device you use, and if you clear your browser cookies, you may need to repeat this process. However, if you have created an account to log in across several of our websites and/or mobile apps, we will make reasonable efforts to apply your Opt-Out request to each of those websites and apps. ◦ To Opt-Out of Targeted Advertising on this site: Move the “Allow Targeted Advertising" toggle below to the left and press “Confirm My Choices”◦ To Opt-Out of other “sales”, including for list rentals, data co-ops, and to limit the use and disclosure of your Sensitive Personal Information: Please provide information on the privacy center and press “submit.” You can also submit this request by calling 1-877-241-4999. This information will not be used or disclosed for any purpose other than for processing this request.

Essential

• [x] On

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

• * *

Performance

• [x] On

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

• * *

Audience Measurement

• [x] On

We use audience measurement cookies in order to carry out aggregated traffic measurement and generate performance statistics essential for the proper functioning of the site and the provision of its content (for example to measure performance, to detect navigation problems, to optimization technical performance or ergonomics, to estimate server power needed and to analyse content performance). The use of these cookies is strictly limited to measuring the site's audience. These cookies do not allow the tracking of navigation on other websites and the data collected is not combined or shared with third parties. You can refuse the use of this cookie by switching off the slider to the right.

• * *

Functional

• [x] On

This website uses functional cookies and services to remember your preferences and choices, such as language preferences, font sizes, region selections, and customized layouts. They enable this website to offer enhanced and personalized functionalities.

• * *

Social Media

• [x] Off

These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

• * *

Allow Sale/Targeted Advertising?

• [x] On

We may transfer or share your personal information to third parties for the purposes of targeted advertising. You can learn more about what information is used for this purpose in our privacy notice.

Confirm My Choices Reject All Accept All

Privacy Policy

Powered by

Skip to contentArs Technica home

Sections

ForumSubscribeSearch

• AI
• Biz & IT
• Cars
• Culture
• Gaming
• Health
• Policy
• Science
• Security
• Space
• Tech

• Feature
• Reviews

• AI
• Biz & IT
• Cars
• Culture
• Gaming
• Health
• Policy
• Science
• Security
• Space
• Tech

ForumSubscribe

Story text

Size Width * Links

• Subscribers only

Learn more

Pin to story

Theme

• HyperLight
• Day & Night
• Dark
• System

[Search](https://arstechnica.com/search/ "Search")

Sign In

Sign in dialog...

Sign in

WHEN AGENTS TURN BAD

Millions of AI agents imperiled by critical vulnerability in open source package

“BadHost” was found in Starlette, a package with 325 million weekly downloads.

Dan Goodin – May 26, 2026 7:50 PM|[43](https://arstechnica.com/information-technology/2026/05/millions-of-ai-agents-imperiled-by-critical-vulnerability-in-open-source-package/#comments "43 comments")


Credit: Aurich Lawson

Credit: Aurich Lawson

Text settings

Story text

Size Width * Links

• Subscribers only

Learn more

Minimize to nav

Millions of AI agents and tools around the world have been imperiled by a critical vulnerability that can allow hackers to breach the servers running them and make off with sensitive data and credentials to third-party accounts, a security researcher is warning.

The vulnerability is present in Starlette, an open source framework that its developer says receives 325 million downloads per week. Thousands of other open source projects are also vulnerable because they require Starlette to work. The framework is an implementation of the ASGI (asynchronous server gateway interface), which allows large numbers of requests to be efficiently processed simultaneously. Starlette is the base of FastAPI and other widely used frameworks for building services in Python apps, as well as many others.

Trivial to exploit, millions of servers exposed

ASGI, and by extension Starlette, have access to servers running the MCP (model context protocol), which allows AI agents from major providers to access external sources, including user data bases, email and calendar accounts, and all manner of other resources. To connect with these external systems, MCP servers store credentials for each one, making them especially valuable storehouses for attackers to breach.

The vulnerability, tracked as CVE-2026-48710 and under the name BadHost, is trivial to exploit and works against most systems that aren’t behind a properly configured firewall. Besides FastAPI, other widely used packages—including vLLM, and LiteLLM—are also affected. BadHost affects Starlette versions prior to 1.0.1, which was released Friday.

“A single character injected into the HTTP Host header bypasses path-based authorization in Starlette, the routing core of FastAPI,” researchers from Secwest wrote. “Through FastAPI, this primitive (now tracked as CVE-2026-48710 and branded BadHost by the discoverers) reaches a large segment of the Python AI tooling ecosystem: vLLM (where the bug was discovered), LiteLLM, Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs.”

Ars Video

[How The Callisto Protocol's Gameplay Was Perfected Months Before Release](https://www.arstechnica.com/video/watch/how-the-callisto-protocols-gameplay-was-perfected-months-before-release)

BadHost carries a severity rating of 7 out of 10. Secwest said the classification “materially understates” the threat it poses to people using other apps that depend on Starlette. X41 D-Sec, the security firm that discovered it, described it as having “critical severity.” X41 D-Sec partnered with fellow security firm Nemesis to create an online scanner that can check if a given server is vulnerable.

X41 D-Sec researcher Markus Vervier said a scan has revealed the following types of data are currently exposed:

1. Biopharma AI – clinical trial DBs, M&A data, SSRF
2. Identity Verification – face analysis, KYB, live PII, internal codebase
3. IoT/Industrial – SSH to devices via bastion, remote code execution
4. Email/SaaS – full mailbox read/send/delete, S3 export, webhooks
5. HR/Recruitment – candidate PII, hiring pipeline data
6. CMS/Marketing – subscriber lists, send/schedule mass email campaigns
7. Document Management – read, upload, modify scanned documents
8. Cloud Monitoring – AWS topology, distributed traces, metric queries
9. Cybersecurity – asset inventory, live Nuclei scanner access
10. Personal Health/Finance – nutrition logs, expenses, subscriptions

The crux of the vulnerability is that Starlette accepts invalid host header values that cause authenticating apps that use Starlette’s request.url object to approve unauthorized access requests. X41 D-Sec said it has found authentication in multiple apps that rely on this call to be bypassed. Besides that, hacks can lead to SSRF (server-side request forgery) exploits and, in some cases, remote code execution. X41 D-Sec described it this way:

Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actual request path. This inconsistent interpretation of HTTP requests may lead to issues such as authentication bypass when the authentication depends on the reconstructed URL’s path. Starlette is the foundation of the FastAPI Python framework.

Company researchers added: “The routing algorithm of Starlette depends on the HTTP path, but the request.url.path attribute which is made available to middlewares and endpoints is based on the reconstructed URL. It is unexpected for users that request.url.path is different from the actual path requested over HTTP.”

The developer of Starlette didn’t immediately reply to an email seeking confirmation of the assessment and additional information.

With vulnerable versions of Starlette still widely used in production systems, people relying on any app that depends on Starlette—particularly FastLLM, vLLM, and LiteLLM—should, at a minimum, run the scanner on their systems to detect whether vulnerable Starlette code is still in use. Additional mitigation guidance is provided in the Nemesis and X41 D-Sec links above.

Dan GoodinSenior Security Editor

Dan GoodinSenior Security Editor

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

[43 Comments](https://arstechnica.com/information-technology/2026/05/millions-of-ai-agents-imperiled-by-critical-vulnerability-in-open-source-package/#comments "43 comments")

Comments

Forum view

Loading comments...

[Prev story](https://arstechnica.com/science/2026/05/the-oxygenation-of-earths-air-might-owe-a-lot-to-plate-tectonics/ "Go to: Want an oxygen-rich atmosphere? Stuff oxygen’s friends in the mantle.")

[Next story](https://arstechnica.com/gadgets/2026/05/were-starting-to-see-some-pc-makers-respond-to-apples-macbook-neo/ "Go to: We're starting to see some PC makers respond to Apple's MacBook Neo")

Most Read

1.  1.Analyst on China's spent rocket stages: "Things only continue to get worse"
2. 2.Amazing interior, controversial exterior: Ferrari's first electric car
3. 3.Millions of AI agents imperiled by critical vulnerability in open source package
4. 4.Citing Gandalf, Pope Leo says we must "disarm" AI
5. 5.Musk says US military suicide drones used Starlink in violation of SpaceX rules

Customize

[](https://arstechnica.com/) Ars Technica has been separating the signal from the noise for over 25 years. With our unique combination of technical savvy and wide-ranging interest in the technological arts and sciences, Ars is the trusted source in a sea of information. After all, you don’t need to know everything, only what’s important.

[](https://bsky.app/profile/arstechnica.com)[](https://mastodon.social/@arstechnica)[](https://www.facebook.com/arstechnica)[](https://www.youtube.com/@arstechnica)[](https://www.instagram.com/arstechnica/)

More from Ars

• About Us
• Staff Directory
• Ars Newsletters
• General FAQ
• Posting Guidelines
• AI Policy
• RSS Feeds

Contact

• Contact us
• [Advertise with us](mailto:adinquiries@condenast.com)
• Reprints

Manage Preferences

© 2026 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement and Privacy Policy and Cookie Statement and Ars Technica Addendum and Your California Privacy Rights. Ars Technica may earn compensation on sales from links on this site. Read our affiliate link policy. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices

Sign in dialog...

Sign in