One character in a header bypasses auth on millions of AI servers.

Hey 👋

This is a patch-now issue. A single character in an HTTP header bypasses authentication on what is probably the most widely deployed component in the production AI stack. MCP servers are the worst case. If you run anything built on FastAPI, vLLM, LiteLLM, or an MCP server, do the five-minute check below before you read the rest.

Two things from my side this issue: a free self-assessment that scores your agents against the OWASP Agentic Top 10, and a YouTube Shorts series I’m launching. Both at the end.

This week in AI security

BadHost (CVE-2026-48710): one character in the Host header skips auth across the AI stack

X41 D-Sec found it during an OSTIF-funded audit of vLLM in January and traced it back to Starlette, the Python ASGI framework sitting under FastAPI and most of the production AI stack (325 million weekly downloads). The mechanism is almost insultingly simple. Starlette rebuilds request.url by concatenating the Host header with the request path, then re-parses the result without validating the Host value first. Drop a /, ?, or # into the Host header and the path, query, and fragment boundaries shift during re-parse. The router still dispatches on the real wire path, so the route executes, but your auth middleware sees the poisoned, re-parsed path. Any path-based security decision made in middleware is bypassed while the protected route runs anyway.

curl -i -H 'Host: foo'  http://target/admin   # 403, blocked
curl -i -H 'Host: foo?' http://target/admin   # 200, served

It cascades into vLLM inference servers, LiteLLM proxy gateways, MCP servers, agent harnesses, model registries, and eval dashboards. The protected endpoints in those environments — admin routes, model management, API key issuance, tool-execution endpoints — are exactly the ones guarded by the path-based middleware BadHost defeats.

MCP servers face structurally elevated exposure, and it’s built into the protocol. The MCP spec mandates unauthenticated OAuth discovery endpoints, which gives an attacker a reliable, spec-guaranteed path to start the bypass. AI lab deployments are hit hardest because many run directly on uvicorn with no reverse proxy to sanitize headers first. The official CVSS of 6.5 badly understates real-world severity given Starlette’s dominance in AI infrastructure. Don’t let the score drive your prioritization here.

Upgrade Starlette to ≥1.0.1. That’s the primary fix — it handles malformed Host headers safely. Then stop using request.url.path for any security decision (use FastAPI’s Depends() or Security(), or scope["path"] in middleware), and put a reverse proxy (Nginx, Caddy, an AWS ALB) in front of any ASGI server to normalize Host headers. Attackers can move the payload to X-Forwarded-Host to defeat some proxy sanitization, so the proxy alone is not enough — patch Starlette regardless. There’s a free scanner at badhost.org (available to attackers and defenders alike, so scan yours today).

OSTIF disclosure → · CSO Online → · Free scanner →

The first fully-autonomous LLM-agent exploit in the wild used BadHost to drain an AWS database in under an hour

Sysdig documented what they say is the first confirmed live cyberattack in which an LLM agent autonomously performed post-exploitation. Not a human running an AI-assisted step — the agent identified the vulnerability, generated and executed exploit code, escalated privileges, and exfiltrated an AWS database in under an hour without human direction of individual steps. The entry point was a Marimo notebook exposed via the BadHost path (CVE-2026-48710 also affects Marimo, tracked separately as CVE-2026-… in their advisory).

Here’s the detail worth sitting with: Claude Mythos, the autonomous bug-finder that surfaced 10,000+ vulnerabilities under Project Glasswing, missed BadHost entirely. A human-led source-code audit by X41 D-Sec found it — during an audit of a different target. The bug had been sitting across hundreds of thousands of deployments for years.

Autonomous AI is now on both ends of the same vulnerability. A human auditor found BadHost that the best autonomous finder missed, and within days an autonomous agent was exploiting it end-to-end faster than any human team could. The takeaway isn’t “AI will find everything” (it didn’t) or “humans are obsolete” (they found this one). Your detection and response window is now measured against a machine that doesn’t sleep, doesn’t get bored mid-exploit, and chains post-exploitation steps in minutes. Plan your containment for that clock, not the human one.

Sysdig via AI News roundup →

Microsoft shipped agent-security tooling the same week — the defensive side is catching up

On June 3, Microsoft introduced a batch of AI-security capabilities: MDASH, a multi-model agentic vulnerability-discovery system now integrating with Microsoft Defender, plus new controls for managing and securing AI agents and tools to flag vulnerable or compromised models before deployment. They’re combining AI analysis with telemetry from what they call 100 trillion security signals a day to prioritize exploitable vulnerabilities.

Multi-agent vulnerability discovery is the right direction, but watch the gap BadHost exposed. Automated discovery systems — Mythos included — missed a trivially simple, catastrophically widespread bug that a human found by reading code. Defensive tooling that leans entirely on AI discovery inherits AI’s blind spots. The strongest posture pairs automated breadth with human depth on the components that matter most. Treat MDASH and its peers as coverage multipliers, not replacements for reviewing your highest-privilege AI infrastructure by hand.

Help Net Security →

From the lab

Two recent pieces that pair directly with this week’s news:

How a Malicious MCP Server Can Drain Your Database in 5 Steps — the attack doesn’t start at your model, it starts at your tool marketplace. BadHost is the auth-layer version of the same lesson: the danger sits in the infrastructure layer everyone assumed was handled. Read it →
The Right AI Security Framework Depends on the Question You’re Asking — there are 20+ AI security frameworks in 2026. Most teams implement all of them and produce a 60-page document with no usable threat model. This is the decision that actually matters. Read it →

(And a one-line callback to last issue: if you haven’t gated your CI/CD coding agents against external pull requests after SymJack/TrustFall, that’s still live.)

New this week: score your own agents in 12 minutes

I built a free self-assessment: the Agent Security Scorecard. It scores your AI agents against the OWASP Agentic Top 10 (2026) in about 12 minutes. Vendor-neutral, no login, instant results. BadHost is a textbook case of exactly what it checks for — an identity-and-authorization failure (ASI03) at the infrastructure layer. If this issue made you wonder how exposed your agents actually are, this is the fastest way to find out where the gaps are.

Take the Agent Security Scorecard →

Also starting this week — short-form video. I’m launching a YouTube Shorts series breaking down one agentic AI security concept per video, in under 60 seconds each: MCP attack chains, the OWASP Agentic risks, and practical controls you can actually ship. First few drop this week. Reply if there’s a specific concept you want me to cover, and I’ll prioritize it. [AMINE FILLS: YouTube channel/Shorts link]

One thing to check this week

Run the badhost.org scanner against every Starlette/FastAPI surface you own — local dev, CI, and especially any internet-reachable MCP server, LLM proxy, or inference endpoint. The remediation window on this one was effectively zero. The patch hit PyPI one day before public disclosure, and the scanner went live for attackers and defenders simultaneously. Assume adversaries are scanning too. Patch Starlette to ≥1.0.1, then confirm with the scanner that the bypass no longer works.

What I’m watching

→ The “responsibility gap” pattern — OSTIF’s point is the real story. One maintainer patching Starlette protected thousands of downstream projects that would otherwise each have to fix it themselves. Expect more single-point AI-infrastructure CVEs with enormous blast radius as the stack consolidates on a handful of frameworks.

→ Autonomous exploitation speed — the Sysdig case is the first documented end-to-end autonomous post-exploitation. It won’t be the last. Containment plans built around human attacker tempo are now mis-calibrated.

→ AI discovery blind spots — Mythos found 10,000+ bugs and missed BadHost. A human found it reading code. The limits of automated discovery are becoming as important to understand as the capabilities.

→ MemMorph — new research on hijacking an agent’s tool selection by slipping disguised records into long-term memory. Because it never touches tool metadata, the bias is hard to detect. The memory-poisoning class keeps maturing.

→ The cybersecurity agent build — next issue: the allowlist-based tool gate in practice, and how I’m handling auth on the agent’s own MCP endpoints in light of BadHost.

Questions, pushback, something I missed — reply directly, I read everything.

Cheers, Amine