Millions of AI agents imperiled by critical vulnerability in open source package

**Executive summary:** A critical vulnerability dubbed BadHost (CVE-2026-48710) in the Starlette ASGI framework allows a single-character HTTP Host header injection to bypass path-based authorization, trivially exposing servers—particularly AI tooling and MCP servers built on Starlette (including FastAPI, vLLM, LiteLLM)--to credential theft and unauthorized access; a patch (Starlette 1.0.1) has been released.