AI Agents Exposed and Iran's Internet Flickers Back Online

Here's a number worth sitting with: 325 million. That's how many times per week the open-source framework Starlette gets downloaded — and right now, every single one of those installations older than version 1.0.1 is carrying a vulnerability that could hand attackers the keys to your AI agent's entire kingdom.

The flaw, officially tracked as CVE-2026-48710 and nicknamed BadHost by the researchers who found it, is almost embarrassingly simple to pull off. Inject a single rogue character into an HTTP Host header, and Starlette's path-based authorization crumbles. No elaborate exploit chain, no nation-state-level sophistication required. Just one character, and you're in.

Why does this hurt so much right now? Because Starlette is the backbone of FastAPI, which has quietly become the go-to framework for building Python-based AI services. That means the blast radius extends well beyond Starlette itself — vLLM, LiteLLM, Text Generation Inference, OpenAI-shim proxies, and a long list of MCP servers are all affected. MCP, short for Model Context Protocol, is the plumbing that lets AI agents tap into external systems: your email, your calendar, your databases. MCP servers store credentials for all of those connections. Which makes them, in the words of any attacker worth their salt, an extremely attractive target.

Security firm X41 D-Sec discovered the bug while poking around in vLLM, then partnered with Nemesis to map out how far the damage could spread. What they found was not reassuring. Beyond the authorization bypass, successful exploits can cascade into server-side request forgery attacks and, in some cases, full remote code execution. X41 D-Sec has already run scans confirming that live servers are actively exposing sensitive data right now.

The official CVSS severity score landed at 7 out of 10 — serious, but not the highest tier. Researchers at Secwest pushed back on that rating pretty bluntly, calling it a material understatement of the real-world risk. X41 D-Sec went further, classifying BadHost as flat-out critical. The disconnect between the formal score and expert opinion is a familiar frustration in the security world, where scoring systems sometimes struggle to account for how deeply a vulnerable package is embedded in broader ecosystems.

The good news is that a fix exists. Starlette 1.0.1 dropped last Friday and patches the vulnerability. X41 D-Sec has also published a free online scanner so teams can check whether their servers are exposed before they update.

The less good news is that patch adoption in the open-source Python ecosystem tends to move at its own pace, and the sheer number of downstream projects depending on Starlette means stragglers will be sitting ducks for a while. If your team is running anything in the AI tooling stack built on FastAPI or its neighbors, this one moves to the top of the to-do list immediately. Not tomorrow. Now.

More than 2,000 hours. That is how long Iran's 90-plus million citizens spent largely cut off from the global internet in 2026 — and on Tuesday, for the first time in months, monitors began detecting faint signs of connectivity trickling back.

The numbers from internet analysis firms Kentik, NetBlocks, and Cloudflare tell a story of cautious, partial restoration rather than anything resembling a return to normal. Fixed-line providers appear to be coming back online first, with the Telecommunication Company of Iran's fiber-optic network around Tehran showing the most meaningful gains. Mobile networks, however, are barely moving. Researchers are careful to note that even these early signals remain well below the limited access Iran allowed briefly in late January — and nowhere close to the country's baseline connectivity levels from late 2025.

To understand why this matters, you need to understand the timeline. Iran's internet troubles in 2026 actually started in January, when the government pulled the plug entirely as security forces violently suppressed widespread economic protests. Connectivity was partially restored in February, then severed again on February 28 when the United States and Israel launched military operations against the country. Since then, tens of millions of people have been unable to reach family members, businesses have hemorrhaged revenue, and the rest of the world has been largely in the dark about on-the-ground conditions inside Iran.

The partial reconnection on Tuesday appears to be a deliberate government decision, coinciding with ongoing US negotiations aimed at a permanent end to the conflict. Whether that timing is meaningful or coincidental is hard to say — but it is hard to ignore.

What makes Iran's situation distinct from typical internet shutdowns is the infrastructure context behind it. Over the past decade, the Iranian government has methodically built out a national intranet — a parallel, domestically controlled network complete with homegrown search engines, messaging apps, and ride-hailing platforms, all designed to eventually substitute for global internet access. The vision was a precision censorship machine. The reality, as Tuesday's murky partial restoration suggests, is that the regime tends to reach for a sledgehammer when it wants control, rather than the scalpel its infrastructure was supposedly built to provide.

Cybersecurity researcher Amir Rashidi of the Miaan Group offered a measured read on the situation: some providers are back, but it is far too soon to declare any kind of normalcy. After January's crackdown, a similar partial restoration left roughly half the country's traffic still offline.

For now, the world is watching a slow, uncertain dial turning. Whether it keeps moving — or gets switched back off — depends on negotiations happening far from the people most affected by the outcome.