Millions of AI agents imperiled by critical vulnerability in open source package

数百万个 AI 智能体因开源软件包中的严重漏洞而陷入危险

Millions of AI agents and tools around the world have been imperiled by a critical vulnerability that can allow hackers to breach the servers running them and make off with sensitive data and credentials to third-party accounts, a security researcher is warning. 一位安全研究人员警告称，全球数百万个 AI 智能体和工具正面临一个严重漏洞的威胁。该漏洞可能允许黑客入侵运行这些智能体的服务器，并窃取敏感数据及第三方账户的凭据。

The vulnerability is present in Starlette, an open source framework that its developer says receives 325 million downloads per week. Thousands of other open source projects are also vulnerable because they require Starlette to work. The framework is an implementation of the ASGI (asynchronous server gateway interface), which allows large numbers of requests to be efficiently processed simultaneously. Starlette is the base of FastAPI and other widely used frameworks for building services in Python apps, as well as many others. 该漏洞存在于 Starlette 中，这是一个开源框架，据其开发者称，该框架每周的下载量高达 3.25 亿次。由于数千个其他开源项目依赖 Starlette 运行，它们同样受到该漏洞的影响。该框架是 ASGI（异步服务器网关接口）的一种实现，能够高效地同时处理大量请求。Starlette 是 FastAPI 以及许多其他用于构建 Python 应用服务的常用框架的基础。

Trivial to exploit, millions of servers exposed

利用极其简单，数百万服务器暴露

ASGI, and by extension Starlette, have access to servers running the MCP (model context protocol), which allows AI agents from major providers to access external sources, including user data bases, email and calendar accounts, and all manner of other resources. To connect with these external systems, MCP servers store credentials for each one, making them especially valuable storehouses for attackers to breach. ASGI 以及由此延伸的 Starlette，可以访问运行 MCP（模型上下文协议）的服务器。MCP 允许来自主要供应商的 AI 智能体访问外部资源，包括用户数据库、电子邮件、日历账户以及各种其他资源。为了连接这些外部系统，MCP 服务器会存储相应的凭据，这使得它们成为攻击者眼中极具价值的入侵目标。

The vulnerability, tracked as CVE-2026-48710 and under the name BadHost, is trivial to exploit and works against most systems that aren’t behind a properly configured firewall. Besides FastAPI, other widely used packages—including vLLM, and LiteLLM—are also affected. BadHost affects Starlette versions prior to 1.0.1, which was released Friday. 该漏洞被追踪为 CVE-2026-48710，代号为“BadHost”。它利用起来非常简单，且对大多数未配置正确防火墙的系统有效。除了 FastAPI，其他广泛使用的软件包（包括 vLLM 和 LiteLLM）也受到影响。BadHost 影响的是周五发布版本 1.0.1 之前的 Starlette 版本。

“A single character injected into the HTTP Host header bypasses path-based authorization in Starlette, the routing core of FastAPI,” researchers from Secwest wrote. “Through FastAPI, this primitive (now tracked as CVE-2026-48710 and branded BadHost by the discoverers) reaches a large segment of the Python AI tooling ecosystem: vLLM (where the bug was discovered), LiteLLM, Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs.” Secwest 的研究人员写道：“在 HTTP Host 标头中注入一个字符，即可绕过 FastAPI 路由核心 Starlette 中的基于路径的授权。通过 FastAPI，这一漏洞原语（现被追踪为 CVE-2026-48710，并被发现者命名为 BadHost）波及了 Python AI 工具生态系统的很大一部分：包括 vLLM（该漏洞的发现地）、LiteLLM、Text Generation Inference、大多数 OpenAI 兼容代理、MCP 服务器、智能体框架、评估仪表板以及模型管理界面。”

BadHost carries a severity rating of 7 out of 10. Secwest said the classification “materially understates” the threat it poses to people using other apps that depend on Starlette. X41 D-Sec, the security firm that discovered it, described it as having “critical severity.” BadHost 的严重性评分为 7 分（满分 10 分）。Secwest 表示，这一评级“严重低估”了它对使用其他依赖 Starlette 的应用程序的用户所构成的威胁。发现该漏洞的安全公司 X41 D-Sec 将其描述为具有“严重级别”。

X41 D-Sec partnered with fellow security firm Nemesis to create an online scanner that can check if a given server is vulnerable. X41 D-Sec researcher Markus Vervier said a scan has revealed the following types of data are currently exposed: X41 D-Sec 与安全公司 Nemesis 合作创建了一个在线扫描器，可以检查特定服务器是否存在漏洞。X41 D-Sec 的研究人员 Markus Vervier 表示，扫描显示目前以下类型的数据处于暴露状态：

• Biopharma AI – clinical trial DBs, M&A data, SSRF
• 生物制药 AI – 临床试验数据库、并购数据、SSRF
• Identity Verification – face analysis, KYB, live PII, internal codebase
• 身份验证 – 人脸分析、KYB（了解你的企业）、实时个人身份信息 (PII)、内部代码库
• IoT/Industrial – SSH to devices via bastion, remote code execution
• 物联网/工业 – 通过堡垒机进行设备 SSH 连接、远程代码执行
• Email/SaaS – full mailbox read/send/delete, S3 export, webhooks
• 电子邮件/SaaS – 完整邮箱读取/发送/删除、S3 导出、Webhooks
• HR/Recruitment – candidate PII, hiring pipeline data
• 人力资源/招聘 – 候选人 PII、招聘流程数据
• CMS/Marketing – subscriber lists, send/schedule mass email campaigns
• 内容管理系统/营销 – 订阅者列表、发送/定时群发邮件活动
• Document Management – read, upload, modify scanned documents
• 文档管理 – 读取、上传、修改扫描文档
• Cloud Monitoring – AWS topology, distributed traces, metric queries
• 云监控 – AWS 拓扑、分布式追踪、指标查询
• Cybersecurity – asset inventory, live Nuclei scanner access
• 网络安全 – 资产清单、实时 Nuclei 扫描器访问
• Personal Health/Finance – nutrition logs, expenses, subscriptions
• 个人健康/财务 – 营养日志、支出、订阅

The crux of the vulnerability is that Starlette accepts invalid host header values that cause authenticating apps that use Starlette’s request.url object to approve unauthorized access requests. X41 D-Sec said it has found authentication in multiple apps that rely on this call to be bypassed. Besides that, hacks can lead to SSRF (server-side request forgery) exploits and, in some cases, remote code execution. 该漏洞的核心在于 Starlette 接受无效的 Host 标头值，导致使用 Starlette 的 request.url 对象的身份验证应用程序批准了未经授权的访问请求。X41 D-Sec 表示，他们发现多个依赖此调用的应用程序中的身份验证机制被绕过。此外，黑客攻击还可能导致 SSRF（服务器端请求伪造）利用，在某些情况下甚至会导致远程代码执行。

X41 D-Sec described it this way: Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actual request path. This inconsistent interpretation of HTTP requests may lead to issues such as authentication bypass when the authentication depends on the reconstructed URL’s path. X41 D-Sec 这样描述道：Starlette 根据 HTTP Host 请求标头和请求路径重构请求的 URL，但不对 Host 标头值执行任何验证。这允许攻击者将路径注入到主机部分，从而置于实际路径之前。然而，Starlette 中的路由是基于实际请求路径的。这种对 HTTP 请求的不一致解释，当身份验证依赖于重构后的 URL 路径时，可能会导致身份验证绕过等问题。

The developer of Starlette didn’t immediately reply to an email seeking confirmation of the assessment and additional information. With vulnerable versions of Starlette still widely used in production systems, people relying on any app that depends on Starlette—particularly FastLLM, vLLM, and LiteLLM—should, at a minimum, run the scanner on their systems to detect whether vulnerable Starlette code is still in use. Additional mitigation guidance is provided in the Nemesis and X41 D-Sec links above. Starlette 的开发者未立即回复寻求确认评估结果及更多信息的电子邮件。由于易受攻击的 Starlette 版本仍被广泛用于生产系统，依赖任何使用 Starlette 的应用程序（特别是 FastLLM、vLLM 和 LiteLLM）的用户，至少应在系统上运行扫描器，以检测是否仍在使用易受攻击的 Starlette 代码。更多缓解指南请参考上述 Nemesis 和 X41 D-Sec 的链接。