Microsoft Security today published research on AutoJack, an attack technique that turns an AI agent with browsing capabilities into a vehicle for arbitrary code execution on the local host. The exploit chain, documented in a detailed technical blog, affects pre-release versions 0.4.3.dev1 and 0.4.3.dev2 of AutoGen Studio on PyPI — Microsoft Research's open-source prototyping interface for the AutoGen multi-agent framework — and not the stable 0.4.2.2 release installed by default.
- AutoJack combines three independent weaknesses in AutoGen Studio: excessive trust in localhost, authentication middleware that excludes MCP paths, and verbatim execution of commands from base64-encoded URLs.
- The MCP WebSocket attack surface exists only in pre-releases 0.4.3.dev1 and 0.4.3.dev2 on PyPI; The Hacker News independently verified that both builds remain available and have not been yanked.
- An AI agent running a local headless browser inherits the localhost identity, bypassing the Origin allowlist and opening an unauthenticated WebSocket to the MCP control plane.
- The fix resides in the GitHub main branch at commit b047730 (PR #7362), but has not yet been distributed as a PyPI release; Microsoft reported the behavior to MSRC and maintainers have hardened the code.
The Three-Weakness Chain: How the Localhost Boundary Dissolves
Microsoft mapped the three components of the AutoJack chain to CWE-1385 (Excessive Trust in Network Identity), CWE-306 (Missing Authentication for Critical Function), and CWE-78 (Improper Neutralization of Special Elements used in an OS Command). Their combination is what makes the attack possible.
The first weakness is conceptual: AutoGen Studio treats 127.0.0.1 and localhost as trusted origins by default. The second is structural: the AuthMiddleware implements an early-return for paths starting with /api/ws or /api/mcp, leaving the MCP handler without follow-up authentication checks in all configurations. The third is executive: the server_params parameter passed to the ws://localhost:8081/api/mcp/ws/<session_id>?server_params=<base64(json)> endpoint is decoded, and the StdioServerParams.command and .args fields pass directly to stdio_client() without any allowlist.
The result is that a malicious web page, loaded by the AI agent itself in its local headless browser, can open a WebSocket to the AutoGen Studio instance and send arbitrary commands. The agent becomes a "confused deputy": it performs actions with privileges it should not possess, precisely because it shares the machine with the target service.
"localhost stops being a trust boundary" — Microsoft Security
The Concrete PoC: From "Web Content Summarizer" to calc.exe on the Desktop
The proof-of-concept documented by Microsoft is a "Web Content Summarizer" agent that, on receiving an externally supplied URL, loads a malicious page. The agent, running on the same machine as AutoGen Studio, inherits the localhost identity: its headless browser presents an Origin that satisfies the allowlist, permitting the MCP WebSocket to open.
Through the server_params parameter, the page injects verbatim commands: calc.exe, powershell.exe, bash -c — any executable reachable by the process. Execution occurs in the context of the user running AutoGen Studio, typically a developer with interactive privileges. No additional user interaction is required beyond launching the agent with the malicious URL.
Microsoft explicitly stated that AutoJack is research, not an active campaign. No in-the-wild exploitation has been reported at the time of publication.
The PyPI Distribution Problem: Fix on GitHub, Pre-Releases Still Exposed
Fix distribution presents significant friction. Commit b047730 in the main branch introduces three hardenings: server-stored server parameters with one-time session IDs, MCP routing that traverses the normal authentication path, and removal of the selective early-return. However, no PyPI release currently contains these changes.
The Hacker News independently verified that pip install autogenstudio without the --pre flag installs the stable 0.4.2.2 version, which does not include any MCP route. But installation with --pre still exposes 0.4.3.dev2. Both vulnerable pre-releases remain on PyPI without having been yanked. This configuration creates a risk asymmetry: the developer following official documentation is protected, while those experimenting with pre-releases — the typical AutoGen Studio profile — are exposed.
Systemic Pattern: When the AI Itself Is the Exploit
AutoJack is not an isolated implementation bug. It is a harbinger of an attack class Microsoft has already documented in prior research on Semantic Kernel: the locally running agentic framework, with browsing capabilities and communication with privileged local services, dissolves the assumption that localhost is a security boundary.
The architectural implication is direct. When an AI agent with MultimodalWebSurfer, Playwright, or equivalent tools operates on the same machine as local services with exposed control planes, the headless browser becomes a bridge. The network identity it inherits — localhost — is sufficient to bypass origin checks designed for traditional web scenarios, where the attacker is remote.
Microsoft formulated the general lesson: "if an agent can browse untrusted pages and also talk to privileged local services, loopback can become an attack surface and control planes must be authenticated, authorized, and isolated." This is the conceptual breaking point: AutoGen Studio's MCP control plane was designed without authentication because it assumed localhost sufficed as a trust criterion.
What to Do Now
For those using AutoGen Studio with pre-releases: verify the installed version via pip show autogenstudio; builds 0.4.3.dev1 and 0.4.3.dev2 are vulnerable. For those developing against the main branch: commit b047730 contains the hardening, but the presence of the three changes (server-side session IDs, mandatory authentication for MCP, removal of the early-return) should be verified manually.
For organizations operating AI agents with browsing capabilities: isolate agents in containers or VMs separate from the host machine, so the headless browser does not share the localhost identity with privileged local services. Explicitly authenticate MCP or equivalent control planes, regardless of network interface.
For agentic framework maintainers: treat control paths as first-class attack surfaces, not internal channels. The absence of authentication on /api/mcp/ws in AutoGen Studio was the consequence of a boundary assumption that the arrival of AI agents has rendered obsolete.
Localhost Isn't Dead, But It's No Longer Enough
AutoJack demonstrates that the problem is not in the specific implementation of AutoGen Studio, but in a security assumption dating decades before AI agents. Localhost was a boundary because the actors on that boundary were humans or known services. When the actor is an AI system that navigates autonomously, it inherits capabilities and identities in ways origin checks did not anticipate.
The Microsoft research arrives at a moment when AI agents are transitioning from prototype to operational infrastructure. The "confused deputy" pattern AutoJack exploits — a legitimate component induced to perform unauthorized actions — is classic in security theory, but the delivery vehicle is new. AI is not just a target: it has become the channel.
Is the stable release of AutoGen Studio vulnerable?
No. According to Microsoft Security, the MCP WebSocket surface "was never included in a PyPI release" referring to the stable version. Version 0.4.2.2, installed by default via pip install autogenstudio, does not contain MCP routes. The Hacker News independently confirmed this release does not expose the vulnerable WebSocket.
Why do the vulnerable pre-releases remain on PyPI?
Microsoft reported the behavior to MSRC and maintainers applied the fix in the main branch, but the dossier does not specify why builds 0.4.3.dev1 and 0.4.3.dev2 have not been yanked from PyPI. The source explicitly notes both remain available for installation.
Has a CVE been assigned for AutoJack?
The dossier does not confirm the existence of a specific CVE for the AutoJack vulnerabilities in AutoGen Studio. The associated CWEs — CWE-1385, CWE-306, CWE-78 — were documented by Microsoft Security as classifications of the weakness chain, but no CVE identifier emerges as assigned at the time of publication.
Sources
- https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html
- https://www.microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent/
- https://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/
- https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/
- https://www.securityweek.com/vulnerability-in-ms-agent-ai-framework-can-allow-full-system-compromise/
- https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/
- https://nvd.nist.gov/vuln/detail/CVE-2026-31431
- https://nvd.nist.gov/vuln/detail/CVE-2026-2256
- https://www.cisa.gov/news-events/alerts/2026/05/01/cisa-adds-one-known-exploited-vulnerability-catalog
- https://kb.cert.org/vuls/id/431821
- https://www.bleepingcomputer.com/news/security/new-linux-copy-fail-flaw-gives-hackers-root-on-major-distros/
Information verified against cited sources and current as of publication.