AutoJack Exploits Browsing Agents to Achieve RCE
Microsoft's Defender Security Research Team on June 18, 2026 disclosed AutoJack, a novel exploit chain that converts a single malicious webpage into a host-level remote code execution (RCE) vector against any machine running an AI browsing agent. The chain exploits trust in localhost, missing authentication on local endpoints, and unsafe parameter handling to reach AutoGen Studio's MCP WebSocket and trigger arbitrary process execution. Microsoft notes the vulnerable MCP WebSocket surface was never shipped in the PyPI release of AutoGen Studio, so PyPI users are not exposed; for source-install users, maintainers have patched by adding authentication to MCP paths and implementing server-side parameter handling. AutoJack fits a documented 2026 pattern of AI-agent localhost-hijack attacks; Microsoft's May 2026 blog separately detailed prompt-injection-to-RCE paths in Semantic Kernel. Practitioners running AI browsing agents locally should audit exposed local interfaces and apply least-privilege network policies.
What happened
Microsoft's Defender Security Research Team disclosed AutoJack on June 18, 2026 via the Microsoft Security Blog - a novel exploit chain showing how a single malicious webpage can turn an AI browsing agent into a host-level remote code execution (RCE) vector. The chain combines attacker-controlled web content, implicit trust in localhost, missing authentication on local endpoints, and unsafe parameter handling to reach AutoGen Studio's MCP WebSocket, enabling arbitrary process execution on the host. According to Microsoft, the affected MCP WebSocket surface was never included in a PyPI release; users who install AutoGen Studio from PyPI are not exposed to this specific chain.
Technical details
Microsoft's research identifies three chained weaknesses in AutoGen Studio's MCP WebSocket: unauthenticated local WebSocket endpoints, insecure URL-based parameter passing that reaches shell-invokable code paths, and a browsing agent that follows untrusted page-hosted content. No proof-of-concept code was published. For source-based installs, maintainers have since removed URL-based parameter injection, routed MCP paths through normal authentication flows, and implemented server-side parameter handling keyed to session identifiers, per Microsoft's disclosure. Microsoft's May 2026 security blog ("When prompts become shells") separately documented RCE paths in Semantic Kernel via prompt injection to code/eval sinks - the same attack class applies across agent frameworks.
Context and significance
The broader attack class - malicious web content reaching local services through a browsing agent - was documented as early as February 2026 with ClawJacked (OpenClaw) and in subsequent disclosures involving MCP-based runtimes. AutoJack follows the same pattern: a browser permits a WebSocket connection to localhost, the AI agent follows the page, and the attacker uses the open connection to reach an unprotected local service. As a first-party Microsoft Security disclosure, the findings are confirmed; the limited exposure (PyPI users unaffected, source installs patched) constrains operational impact but the research contribution is significant.
What to watch
For source-install users of AutoGen Studio, apply the maintainer patches described by Microsoft: authentication on MCP paths and server-side parameter handling. Monitor for any CVE assignment tied to the MCP WebSocket interface. Practitioners should also watch for similar disclosures across other MCP-based agent runtimes that expose local WebSocket or REST interfaces to browsing agents.
For practitioners
Audit local interfaces (WebSocket, REST) exposed to or reachable by autonomous browsing agents. Apply least-privilege network policies so agents cannot contact arbitrary localhost ports. If running AutoGen Studio from source, apply the official Microsoft-documented patches. PyPI installs of AutoGen Studio are not affected by this specific chain per Microsoft's disclosure.
Key Points
- 1Microsoft's Defender Security Research Team disclosed AutoJack on June 18, 2026 - a chain exploiting localhost trust, missing authentication, and unsafe parameter handling in AutoGen Studio's MCP WebSocket to achieve host-level RCE.
- 2The vulnerable MCP WebSocket surface was never shipped in the PyPI release; source installs have been patched per Microsoft with authentication on MCP paths and server-side parameter handling.
- 3AutoJack is part of a documented 2026 pattern of AI-agent localhost-hijack vulnerabilities; practitioners should audit and restrict local interfaces exposed to autonomous browsing agents.
Scoring Rationale
Microsoft's Defender Security Research Team officially disclosed AutoJack - a confirmed RCE chain in AutoGen Studio's MCP WebSocket - raising this well above a single-source security tip. Score is moderated to 6.3 because the affected MCP WebSocket surface was never shipped in the PyPI release (limiting practical exposure) and maintainers have already patched source installs; however, the official Microsoft authorship, documented attack class, and relevance to the rapidly growing AI-agent security surface warrant a Notable rating.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

