Incident · curated 27 Jun 2026
First reported 28 May 2026 · 30d ago
Single-source incident — first reported, latest, and curated coincide.
MCP servers store credentials for AI agents' external accounts, so a trivially exploitable auth bypass in their underlying framework hands attackers a high-value path to mailbox access, PII, RCE, and credential theft across the Python AI tooling ecosystem.
A critical authentication-bypass vulnerability (CVE-2026-48710, dubbed BadHost) in the Starlette framework lets a single character injected into the HTTP Host header bypass path-based authorization. Because Starlette underpins FastAPI, vLLM, LiteLLM, and many MCP servers and agent harnesses, the flaw exposes millions of AI agents and their stored third-party credentials and sensitive data to trivial exploitation.
Why it matters
MCP servers store credentials for AI agents' external accounts, so a trivially exploitable auth bypass in their underlying framework hands attackers a high-value path to mailbox access, PII, RCE, and credential theft across the Python AI tooling ecosystem.