Microsoft has patched 'AutoJack,' a vulnerability chain in AutoGen Studio, the GUI tool for its open-source multi-agent AI framework. The flaw allowed arbitrary commands to run on the host simply when a browsing agent loaded a malicious web page, and affected only a development build.
June 18, 2026 · Microsoft Security
"AutoJack": one malicious web page could hijack the host running an AI agent
Microsoft found and fixed a vulnerability chain in AutoGen Studio that let a single untrusted page run arbitrary commands — calc.exe, PowerShell, Bash — on the machine, by abusing a privileged local MCP WebSocket. The flaw was patched before any stable release shipped.
3
chained weaknesses turned a web visit into code execution
1
page visit needed — no clicks, no install
59k+
GitHub stars on the AutoGen framework
0
stable PyPI builds affected — fixed pre-release
The attack chain — three weaknesses in a row
CWE-1385
Origin check
localhost-only, but bypassed because the agent's browser runs on the same machine
→
CWE-306
Missing auth
the MCP WebSocket route skipped authentication entirely
→
CWE-78
Command injection
a URL-derived launch parameter executed as-is on the host OS
Path: agent's headless browser opens a malicious page → JavaScript connects to ws://localhost:8081/api/mcp/ws/ → arbitrary OS commands run on the host.
The fix
Removed server_params from the URL — now session-scoped via a server-side UUID
MCP routes no longer skip authentication
Added an allowlist for command execution
Who was exposed
Only developers building from the GitHub main branch in a specific window
Pre-release builds (0.4.3.dev1 / 0.4.3.dev2) until patching
Stable PyPI (e.g. 0.4.2.2) lacked the MCP route — unaffected
The bigger lesson
"Collapse of the localhost trust boundary" — loopback connections become an attack surface once an agent browses untrusted content while talking to privileged local services.
Run agents under low-privilege accounts or inside a sandbox / container
Don't pair the tool with agents that browse untrusted content
A fresh entry after RCE in Semantic Kernel, path traversal in Langflow, hijacking in ChromaDB
Continue reading The rest of this article is for AI News Blitz readers. Choose an option below to keep reading.
Already purchased? Sign in ✓ Signed in — this article isn’t included in your current plan.Unlocking the full article…