Risky Bulletin: BadHost vulnerability bypasses authentication on AI infrastructure

This newsletter is brought to you by Sondera. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed. You can also add the Risky Business newsletter as a Preferred Source to your Google search results by going here.

A major bug has been disclosed in a little known middleware component used in many AI server infrastructure products.

Codenamed BadHost (and tracked as CVE-2026-48710), the vulnerability impacts Starlette, a lightweight Python framework for building asynchronous web services.

In the simplest way to explain it, the bug can allow attackers to trick servers into thinking they want to access a public URL and there's no need to authenticate. In reality, the attackers get connected to private endpoints from where they can download or harvest sensitive data or tell the server to perform malicious actions.

German security firm X41 D-Sec, which found and reported the bug, has also published a technical analysis of the issue.

The basic exploit is something like this, where a malcrafted request is trivial to assemble if attackers know what parts of an internal API they want to hit.

GET /privateendpoint HTTP/1.1
Host: example.com/public?bar=

The Starlette team released security patches last week but a lot of AI infrastructure is probably still unpatched and vulnerable.

The Starlette framework is currently an important component in projects like LiteLLM, vLLM, AI proxy servers, MCP servers, and even AI agent frameworks.

X41 D-Sec has also released a tool to scan and check if your AI backend is vulnerable to BadHost-style attacks.

Risky Business Podcasts

In this episode of Risky Business Features, Ollie Whitehouse, the CTO of the UK’s National Cyber Security Centre, joins Patrick Gray and James Wilson to talk about why “patch faster” will only get organisations so far in the face of the AI "bugpocalypse."

Breaches, hacks, and security incidents

OnlyFans leak appears fake: A supposed hack and leak of OnlyFans data appears to be programmatically-generated random data.

SolarWinds hack was catastrophic: FOIA documents obtained by Bloomberg confirmed that Russian hackers gained almost access to internal US government emails following the SolarWinds hack in 2020. [Bloomberg]

Charter confirms breach: American telco Charter has confirmed a security breach after its name was listed on the ShinyHunters' dark web leak portal last week. [BleepingComputer]

Hackers breach Lithuania's state registry: Hackers have stolen 600,000 records from Lithuania's state registry. The entry point was traced back to compromised credentials issued to other government agencies authorized to access land and real estate data. The stolen data included property information such as real names, cadastral information, and other real estate-specific details. [The Record // Lithuania's state registry]

Australian MP hacked: A suspected foreign state actor has breached the WhatsApp account of an Australian MP and three of their staffers. The victim has been identified as independent MP Zali Steggall. The incident took place in March. Although unconfirmed, it is believed to be part of a Russian campaign targeting the Signal and WhatsApp accounts of foreign politicians. [Information Age // The Sydney Morning Herald]

MyPillow ransomware attack: The Play ransomware group is extorting American pillow company MyPillow. The group claims to have stolen sensitive financial documents from MyPillow's corporate network. The company has yet to confirm the incident. [Straight Arrow News]

General tech and privacy

Twitter to go after content thieves: Twitter will ban large accounts that steal content from smaller profiles in order to generate money through the platform's revenue-sharing feature. [Social Media Today]

Government, politics, and policy

IRS may retain biometric data for years: The IRS is considering new rules to allow its ID.me service to retain facial scans for years in a long-term fraud database and help fight AI-driven identity fraud. [BiometricUpdate]

US changes logging policy: The White House has published a new memo with no rules for federal agencies on keeping software logs. The memo updates a 2021 Biden-era memo but removes long-retention requirements for a logging policy that prioritizes real-time detections and risk-based profiles. [CyberScoop]

US creates "anti-tech violent extremism" category: US law enforcement agencies have created a new domestic threat category named anti-technology violent extremists. The DHS, FBI, and police fusion centers have been told to start tracking individuals who express and promote anti-technology views. The new designation comes in the midst of growing public outcry against water and energy guzzling AI data centers. [WIRED]

Dutch govt blocks US acquisition of DigiD system: The Dutch government has blocked the sale of a cloud software firm to American investors on the grounds of national security. American tech giant Kyndryl announced plans to acquire Solvinity in a deal last year. The Dutch cloud company built and is managing DigiD, the Dutch government's official services portal. Dutch MPs and privacy groups raised concerns that Kyndryl would be bound to US laws and grant access to the entire data of Dutch citizens to the US government. [Dutch Parliament // DutchNews]

Germany unveils C3A: The German government has published a new framework to help companies and government agencies select a truly sovereign cloud provider. The guide is meant to help authorities and the private sector move to EU alternatives and away from US tech. [InCyber News // BSI]

Iran will reconnect to global internet: Iran's president has lifted a national ban and will allow the country to reconnect to the global internet. Iran cut off internet access to its entire population on February 28, at the start of a war with Israel and the US. The country's internet blockade has lasted 87 days, the longest one ever recorded. Human rights groups expect videos of executions and police violence to surface after a brutal government crackdown against protesters and supposed spies. [Reuters]

🫶 Welcome back #Iran! Metrics show a further rise in connectivity as mobile networks and other segments are reconnected to the global internet: • Filternet remains in place but can be worked around • WhatsApp now restricted, requiring circumvention • Some users still offline

[image or embed]

— NetBlocks (@netblocks.org) May 26, 2026 at 8:48 PM

Russia fines 85 telcos: Russia's internet watchdog has fined 85 telcos for failing to provide data on IP addresses assigned to customers. Under Russian law, ISPs and mobile operators must notify the Roskomnadzor what IP addresses are assigned to customers once per day. The requirement is part of a system designed to block DDoS and other cyberattacks. Fines for first-time offenders are $7,000. [Izvestia]

Russia to phase out Visa and Mastercard: Russia's central bank will phase out Visa and Mastercard cards after their market share fell to 17% and after the two companies stopped processing Russian transactions following 2022 sanctions. [TASS]

Internet as a government reward for "good behavior": Aleksandr Dugin, the Russian political philosopher behind most of modern Russia's neo-imperialism and government expansionist policies, has proposed granting citizens internet access as a government reward for "good behavior" and something to be earned. [Meduza]

South Korea launches Cyber Incident Investigation Committee: The South Korean government has launched a special committee to investigate cybersecurity breaches. The Cyber Incident Investigation Committee launched four months ahead of schedule. The law that enshrines its powers will come into effect in October. The committee will work in an advisory role to the Ministry of Science and Technology until then. [eDaily]

India recommends patching exploited bugs within 12h: Indian organizations have been urged to install security updates for actively exploited bugs within 12 hours of a notification. The advice applies to internet-facing appliances or so-called "crown jewel" systems. If the actively exploited bugs target software running on internal networks and not connected to the internet, patches can be delayed for up to one day. India's CERT cited the rise in AI-assisted attacks for its new stricter patching guideline. [CERT-IN]

Sponsor section

In this Risky Business sponsor interview, James Wilson chats with Sondera CEO Josh Devon about why guardrails and instruction files aren’t enough to keep AI agents from going haywire. EDR, DLP and other traditional controls can't and won't prevent agents from going rogue. Josh explains Sondera’s “principle of least autonomy” for agents: let them do useful work, but put them in a deterministic policy harness so they can’t leak secrets, abuse tools or wander off-task.

Arrests, cybercrime, and threat intel

Tech firms take down Glassworm C2 servers: CrowdStrike, Google, and the Shadowserver Foundation have disrupted the Glassworm botnet. The three organizations took down four layers of command and control servers used by the Glassworm operation to infect open-source projects. The Glassworm botnet launched last September and spread across the devops ecosystem. It worked as a worm that infected a developer, spread to their projects, and made new victims. Since last year, Glassworm has been seen on the npm and PyPI ecosystems and on VS Code extension portals. [CrowdStrike]

Ajax hacker arrested: Dutch police have arrested a 35-year-old man for hacking the Ajax Amsterdam soccer club. The suspect hacked the club via a phishing attack at the start of the year. He used the access to modify game ticket reservations. The suspect was detained in the city of Buren on Tuesday. [Dutch Police]

Six scammers arrested in India: Indian authorities have arrested six suspects who allegedly carried out "digital arrests" scams. The group called victims across India posing as law enforcement. They threatened arrests if victims didn't transfer them money. The group is believed to have made more than $2.5 million. [The Indian Express]

Chinese PhaaS ecosystem growing rapidly: Chinese-run phishing-as-a-service (PhaaS) platforms are now just as advanced as the Russian ones and they seem to follow the same rule of "don't s**t where you eat" meaning they can only be used to target foreign services. [Google Cloud]

Mule-as-a-Service economy: The money mule economy is shifting right under our eyes with the  help of AI and the rise of KYC checks everywhere. [KELA]

"This report highlights how mule operations increasingly rely on stolen identities, synthetic identities, compromised accounts, and AI-assisted onboarding techniques rather than solely recruiting human participants."

Ababil of Minab profile: Gambit Security has published a profile on Ababil of Minab, an online persona used by Iranian state-sponsored hackers in the attack against the LA Metro. [Gambit Security]

"Forensic evidence ties the campaign to infrastructure and activity previously attributed by Israel's National Cyber Directorate (INCD) to Iran’s Ministry of Intelligence and Security (MOIS)."

New SRG alert: The FBI has published a new industry alert on the Silent Ransom Group, a data extortion group known to target law firms. The new advisory highlights how the gang will sometimes send someone "in-person to the victim company's location to gain physical access to computers." This is a tactic that was first used last year but has now become more common. [FBI Industry Alert, PDF // Older FBI Industry Alert, PDF]

Malware technical reports

Deno RAT (Dindoor): Threat actors are using fake software uploaded on GitHub and SourceForge to infect victims with the Deno RAT. Links to these packages are typically spread using YouTube videos. While we've seen this tactic before, this is the first time I see SourceForge being used as a hosting platform in some of these campaigns. [Malwarebytes]

BTMOB: An Android RAT that evolved from the old SpySolr malware is now getting widely used across Brazil in malware campaigns. [ESET]

Payload ransomware: DarkAtlas looks at the technical underbelly of the Payload ransomware gang, which has recently crossed the 50 mark on their dark leak site. [DarkAtlas]

P2Pinfect: The P2Pinfect botnet has been seen compromising Kubernetes clusters, entering systems through misconfigured Redis databases. [Fortinet]

Sponsor section

In this edition of the Snake Oilers podcast, Sondera's Josh Devon talks about Sondera technology designed to intervene when AI models start doing the wrong thing by statefully tracking their trajectories. This isn't a permissions suite for AI agents, it's a way to stick agents in a harness and make sure they adhere to hard policy boundaries.

APTs, cyber-espionage, and info-ops

TikTok disinformation campaigns in Romania: A report published last week looks at the coordinated TikTok disinformation campaigns that took place this month around a confidence vote that took down Romania's pro-EU government alliance and promoted pro-Kremlin forces and anti-EU conspiracy theories. The campaign involved almost 24,000 videos that got more than 100 million views. [ExpertForum]

Vulnerabilities, security research, and bug bounty

Security updates: 7-Zip, ABB, ConnectWise, cPanel, HP, NVIDIA, Splunk.

KnowledgeDeliver LMS zero-day: Hackers have exploited a novel zero-day in the KnowledgeDeliver learning management platform to take over IIS servers. The attackers exploited an identical hardcoded machineKey that was shared among all LMS installations. The hackers modified JavaScript on the LMS portals to show a fake security alert and trick visitors into installing malware. Most KnowledgeDeliver installs are in Japan. [Google Cloud // CVE-2026-5426]

Unpatched Sparx bugs: Sparx Systems has failed to patch five security issues in its Pro Cloud Server even after being contacted by CERT Poland. [CERT-PL // Blazej Adamczyk]

7-Zip code execution: There's a new code execution bug in 7-Zip that's just bound to soon get exploited in the wild. This was patched back in April. [GitHub]

Infosec industry

Threat/trend reports: Check Point, Kaspersky, Red Canary, and VulnCheck have recently published reports and summaries covering various threats and infosec industry trends.

New tool—corecrypto: Apple has released corecrypto, the foundational cryptographic library in Apple operating systems.

New tool—TailscaleHound: SpecterOps has open-sourced TailscaleHound, a BloodHound OpenGraph collector to map out Tailscale attack paths.

Risky Business podcasts

In this episode of Risky Business Features, Theori's Brian Pak and Andrew Wesie join James Wilson to discuss why the CopyFail exploit was publicly disclosed before Linux distributions had their patches ready.