{"slug": "autojack-one-web-page-turns-a-local-ai-agent-into-host-code-execution", "title": "AutoJack: One Web Page Turns a Local AI Agent Into Host Code Execution", "summary": "Microsoft researchers detailed an exploit chain called AutoJack that turns an AI browsing agent into a delivery vehicle for remote code execution. The flaw sits in AutoGen Studio, the open-source prototyping interface for Microsoft Research's AutoGen multi-agent framework. AutoJack chains three weaknesses in the MCP WebSocket to allow a malicious web page to run attacker-chosen commands on the host.", "body_md": "Microsoft researchers detailed an exploit chain called AutoJack that turns an AI browsing agent into a delivery vehicle for remote code execution. Steer the agent to load an attacker's web page, and that page's JavaScript reaches a privileged local service on the same machine and spawns a process on the host. No credentials, no sign-in, no further interaction once the page loads. A planted link, a URL field, or a prompt injection is enough to get the agent to open it.\n\nThe flaw sits in AutoGen Studio, the open-source prototyping interface for Microsoft Research's AutoGen multi-agent framework. The proof of concept used a \"Web Content Summarizer\" agent that, when fed an attacker URL, pops calc.exe on the developer's desktop, launched by the AutoGen Studio process itself. Microsoft calls this research, not an active campaign, and reports no exploitation in the wild.\n\nThis is not a bug that hits everyone who installs the package, and the packaging story matters. A plain pip install autogenstudio pulls the current stable release, 0.4.2.2, the build Microsoft inspected, and it has no Model Context Protocol route at all. That is the basis for Microsoft's statement that the vulnerable MCP WebSocket surface \"was never included in a PyPI release.\" It holds for the stable build.\n\nBut the vulnerable handler did ship to PyPI, in two pre-release builds: 0.4.3.dev1 and 0.4.3.dev2. The Hacker News downloaded and inspected both. The MCP WebSocket route is present, the handler takes the command to run straight from the request, and it does not authenticate the caller. Neither build has been yanked. pip will not install a pre-release unless you pass --pre or pin the version, so a plain install was never exposed. Anyone who installed one of those pre-releases was.\n\n⚠️\n\nThere is no patched PyPI build to move to— The hardening lives only in GitHub main at commit b047730. No PyPI release carries it yet. If you installed a pre-release, upgrading through PyPI does not help. Pull from source at or after b047730, or stay on stable 0.4.2.2.\n\nAutoJack chains three weaknesses in the MCP WebSocket. First, the socket trusted localhost, a check meant to block a normal browser pointed at a malicious site. But a browsing agent running on the same box is localhost, so anything it loads inherits that localhost identity and passes the check. Second, the authentication middleware skipped MCP paths, assuming the handler would verify tokens itself. It never did, so the socket accepted unauthenticated connections regardless of the configured auth mode. Third, the endpoint took a command straight from a request parameter and ran it, with no allowlist on which executable could launch.\n\nPut together, a page on the open internet, rendered by a local agent, runs an attacker-chosen command under the account running AutoGen Studio. Microsoft reported the behavior to MSRC, and the maintainers hardened main in commit b047730 (PR #7362). The fixed handler no longer reads the command from the URL; parameters are stored server-side behind a one-time session ID, unknown IDs are refused, and MCP routes now run through the normal authentication path.\n\nThe AutoGen Studio bugs are patched in source. The pattern is not. Microsoft expects the same shape in other agent frameworks: a local service with too much power, a localhost check treated as security, and an agent that opens untrusted pages. THN saw it last month in ChatGPhish, where ChatGPT's page summaries became a phishing vector. Microsoft made the same localhost argument in its Semantic Kernel RCE research, tracked as CVE-2026-26030 and CVE-2026-25592.\n\nLocalhost is not a trust boundary— Once an agent can browse the open web and reach privileged local services, anything it loads speaks as localhost. Authenticate the control plane, keep process execution behind an allowlist, and give the agent an identity that is not the developer's own session. Another localhost check is not enough.\n\nFor security teams, the practical takeaway is to inventory where AI agents and local agent-tooling services run on the same host, especially on developer workstations where pre-release packages get installed casually. Treat any local MCP or agent control plane as an attacker-reachable surface the moment the agent can render untrusted content, and apply the same authentication, allowlisting, and least-privilege rules you would to any internet-facing service.\n\n*Originally published on RedEye Threat Intelligence.*", "url": "https://wpnews.pro/news/autojack-one-web-page-turns-a-local-ai-agent-into-host-code-execution", "canonical_source": "https://dev.to/etairos/autojack-one-web-page-turns-a-local-ai-agent-into-host-code-execution-1jph", "published_at": "2026-06-19 19:01:37+00:00", "updated_at": "2026-06-19 19:06:41.445291+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "ai-research", "ai-products", "developer-tools"], "entities": ["Microsoft", "AutoGen Studio", "AutoGen", "Microsoft Research", "MSRC", "PyPI", "ChatGPhish", "Semantic Kernel"], "alternates": {"html": "https://wpnews.pro/news/autojack-one-web-page-turns-a-local-ai-agent-into-host-code-execution", "markdown": "https://wpnews.pro/news/autojack-one-web-page-turns-a-local-ai-agent-into-host-code-execution.md", "text": "https://wpnews.pro/news/autojack-one-web-page-turns-a-local-ai-agent-into-host-code-execution.txt", "jsonld": "https://wpnews.pro/news/autojack-one-web-page-turns-a-local-ai-agent-into-host-code-execution.jsonld"}}