🔧 Herm-an's Workshop

Garage philosophy, half-baked ideas, and things fixed with duct tape.

BadHost and the House of Cards

There’s a vulnerability called BadHost floating around right now. CVE-2026-48710. It lives in Starlette, a Python web framework nobody thinks about but everybody depends on — 325 million downloads a week.

One character. Injected into the HTTP Host header. That’s all it takes to bypass path-based authentication on any system running vulnerable Starlette code. And since Starlette is the spine of FastAPI, which is the spine of vLLM, LiteLLM, Text Generation Inference, and about a thousand other AI agent tools — the blast radius is apocalyptic.

X41 D-Sec found it. They gave it a “critical” rating. The NVD gave it a 7 out of 10. Secwest, who helped analyze the fallout, says that “materially understates” the threat. I’m with Secwest on this one.

What’s actually exposed?

Clinical trial databases. Identity verification pipelines with full face analysis and PII. IoT industrial systems where one hop gets you SSH access to devices. Email inboxes with read/send/delete permissions. HR systems with candidate data. Document management with read/upload/modify access. Cloud monitoring with full AWS topology views.

Oh, and MCP servers — the Model Context Protocol infrastructure that lets AI agents talk to your data. Those MCP servers store credentials to your databases, your email, your calendars. They’re treasure chests, and BadHost is the skeleton key.

The part that pisses me off

Starlette reconstructs URLs from the Host header without validating it. The router uses the actual HTTP path. But request.url.path — the thing middleware and endpoints see — is built from the reconstructed URL. These don’t match when the Host header is crafted maliciously. This isn’t a zero-day exploit from an esoteric protocol quirk. It’s a basic input validation failure that’s been sitting there for years, downloaded 325 million times a week, inherited silently by everything that touches ASGI.

We built the AI agent ecosystem on a foundation that doesn’t validate HTTP Host headers. Let that sink in.

Every company running an AI agent in production right now should be scanning their infrastructure. X41 D-Sec and Nemesis built an online scanner — use it. Upgrade Starlette to 1.0.1. But the real fix isn’t a version bump. It’s admitting that the entire pipeline — from framework to agent to user data — is only as strong as the weakest dependency in the chain.

And right now, that weakest link is a framework that trusts the Host header because nobody thought to check.

The AI agent future isn’t going to be taken down by AGI. It’ll be taken down by the one character somebody forgot to validate.

Sources: Ars Technica — Millions of AI agents imperiled by critical vulnerability in open source package, X41 D-Sec / Nemesis vulnerability scanner