Microsoft's Defender Security Research Team disclosed AutoJack on June 18, 2026, in a Microsoft Security Blog post. The research demonstrates a chained exploit where a malicious webpage rendered by a local AI browsing agent reaches an AutoGen Studio MCP WebSocket and executes arbitrary processes on the host - host-level RCE with no credentials required. Three weaknesses are chained: an origin allowlist bypass (browsing agents run as localhost, passing origin checks), missing authentication on MCP endpoints, and unsafe parameter handling that passes attacker-controlled values directly to shell commands. The stable PyPI release of AutoGen Studio (version 0.4.2.2) has no MCP route and is unaffected. However, two pre-release builds - 0.4.3.dev1 and 0.4.3.dev2 - shipped the vulnerable handler and remain on PyPI unyanked (The Hacker News). The fix is in GitHub main at commit b047730 (PR #7362) but has not yet shipped as a patched stable release.
What happened
Microsoft's Defender Security Research Team disclosed AutoJack on June 18, 2026, in a Microsoft Security Blog post (Microsoft Security Blog; The Hacker News). The researchers demonstrated that a malicious webpage rendered by an AutoGen Studio browsing agent can reach a local Model Context Protocol MCP WebSocket and run arbitrary processes on the underlying host, creating host-level remote code execution (RCE) with no credentials required. Microsoft named the technique "AutoJack" because it hijacks a web-accessing AI agent to abuse trusted local access.
The stable PyPI release of AutoGen Studio (version 0.4.2.2) has no MCP route and is unaffected. However, The Hacker News confirmed that two pre-release builds - 0.4.3.dev1 and 0.4.3.dev2 - shipped the vulnerable handler and remain on PyPI unyanked as of the disclosure date. The upstream main branch was hardened in commit b047730 (PR #7362), but a patched stable release has not yet shipped to PyPI (The Hacker News).
Technical details
Microsoft researchers identified three linked weaknesses in AutoGen Studio's MCP WebSocket:
- •Origin allowlist bypass: The MCP WebSocket accepts connections from localhost. A browsing agent running on the same machine inherits that localhost identity, so any page the agent loads passes the origin check intended to block external content (Microsoft Security Blog).
- •Missing authentication: The authentication middleware skipped MCP paths, assuming the handler would verify tokens itself. It never did, so the socket accepted unauthenticated connections regardless of configured auth mode (Microsoft Security Blog).
- •Unsafe parameter handling: The endpoint took a command directly from a request parameter with no allowlist on which executable could launch, enabling arbitrary process execution (Microsoft Security Blog; The Hacker News).
Microsoft's proof-of-concept used a "Web Content Summarizer" agent to show that an attacker-controlled URL causes AutoGen Studio to spawn an arbitrary process on the developer's machine. Microsoft described this as research with no exploitation in the wild observed. Microsoft's conclusion: once an agent can browse untrusted content and access local services, localhost is no longer a trust boundary.
Context and significance
AutoJack follows a growing body of 2026 research on localhost-hijack vectors for agentic systems. Microsoft's earlier Semantic Kernel RCE disclosures (CVE-2026-26030 and CVE-2026-25592, May 2026) and the ChatGPhish vulnerability (The Hacker News, May 2026) illustrate the same structural problem: local developer services trusted implicitly, combined with agents that access untrusted web content. The fast-growing adoption of multi-agent frameworks and local development tooling increases the number of environments where this attack pattern applies.
What to watch
Monitor: a stable patched PyPI release for users on pre-release builds 0.4.3.dev1 or 0.4.3.dev2; vendor hardening guidance from other agent frameworks that expose local MCP services to web-enabled agents; and any escalation from research disclosure to active exploitation. For practitioners currently using AutoGen Studio with browsing-capable agents: install from GitHub main at or after commit b047730 rather than from a pre-release PyPI build, and if both must run on a shared host, isolate them in separate containers with AutoGen Studio running under a low-privilege account (Microsoft Security Blog; The Hacker News).
Scoring Rationale #
AutoJack is a significant AI security research finding demonstrating host-level RCE through AI browsing agents via localhost trust abuse - a pattern Microsoft expects will recur across other agent frameworks. Scope is limited to pre-release AutoGen Studio builds with no exploitation in the wild observed, and the fix is not yet in a stable PyPI release, placing this at the lower range of 'Major'.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.