Chris Hood

CVE-2026-48710, "BadHost," dropped May 26. One character in an HTTP Host header bypasses authentication. Starlette patched it. Thousands of MCP servers are updating tonight. The patch is real. The bug is something else. BadHost lives in no single file. ASGI passes the header. Starlette reconstructs the URL. Middleware trusts the path. Each component is locally correct. The vulnerability is what happens between them. This is the substrate, not the framework. HTTP was built for hypertext retrieval. Agent traffic inherited its assumptions. The next BadHost is already inside the codebase, waiting to be found. https://t.co/4LycPXQSOj #BadHost #AISecurity #AgentSubstrate #AGTP

BadHost (CVE-2026-48710) bypasses authentication on thousands of MCP servers, vLLM, LiteLLM, and AI agent deployments with a single character in an HTTP Host header. The vulnerability spans three layers (ASGI, Starlette, middleware) each correct in isolation. It only emerges from their interaction. This is what "HTTP wasn't designed for agents" looks like operationally. The Agent Transfer Protocol (AGTP) is the architectural alternative. Dedicated substrate, port 4480, agent identity carried structurally as a cryptographic hash rather than reconstructed from headers. The bug class doesn't exist because the substrate doesn't have the layered-assumption problem that produced it. Not a fix for BadHost. An architecture where BadHost cannot happen. draft-hood-independent-agtp-08 Start running AGTP today: https://t.co/Dyf22uH2fU CrowdStrike, Cloudflare, Google Cloud Security, Amazon Web Services (AWS) #AGTP #BadHost #Security #AgentWeb

A developer who reads POST /reservations knows it books a table. Fifteen years of REST convention does the work. A language model has none of that. It reasons about "book me a table for four" and has to bridge to a verb describing the server's data model, not the user's goal. We measured the gap. 7,200 trials, four model families. Intent-aligned names beat CRUD by 10 to 29 points at frontier scale. Swap the descriptions and CRUD collapses to near chance while agentic names hold steady. The name carries the signal. The data is the argument. #AgenticAPI #AGTP #AIAgents

Every agent protocol today runs over HTTP. To a load balancer, an AI agent executing a financial transaction is indistinguishable from a human clicking a browser link. To govern that traffic, infrastructure has to pause routing, open the payload, and parse the JSON. At every request. At scale. Parsing what attackers are trying to manipulate is a poor place to put your security perimeter. AGTP moves identity, authority scope, and audit information into the transport headers. The infrastructure reads the envelope. The payload stays private. https://t.co/rPijo2M7l5 #AGTP #AgentTransferProtocol

The debate is running again. AI First vs Data First. Both sides are making real points. Both sides are missing the more important one. Neither AI nor Data survives without a customer to serve. And before data, there is something else. Employees. Culture. Empathy. The human infrastructure that makes data meaningful and AI useful. Technology last. AI, maybe. Every "First" label that attaches to a technology belongs at the end of that list. There is no tie. Customer First wins. https://t.co/xhGfUoQ3LK #AI #CustomerFirst #Data