AutoJack Exploits Browsing Agents to Achieve RCE

IT Security News reports a novel exploit chain named AutoJack that can turn a single malicious webpage into a host-level remote code execution vector by abusing an AI browsing agent. According to IT Security News, the chain combines attacker-controlled web content, implicit trust in localhost, missing authentication on local endpoints, and unsafe parameter handling. The report states the chain specifically targets AutoGen Studio's MCP WebSocket, and that attackers can trigger arbitrary process execution through that interface. No CVE has been assigned and no official advisory from AutoGen Studio or Microsoft (AutoGen's maintainer) has been publicly reported.

IT Security News describes the technical root causes at a high level without releasing proof-of-concept code. The reported elements - unauthenticated local WebSocket endpoints, insecure parameter passing that can lead to shell invocation, and an agent that follows links and interacts with page-hosted interfaces - are consistent with documented attack classes in AI agent security. Microsoft's May 2026 security blog ("When prompts become shells") separately documented two cases where prompt injection in Semantic Kernel led to host-level RCE via code/eval sinks, illustrating how the same attack boundary applies across agent frameworks.

The broader attack class - malicious web content reaching local services through a browsing agent - was documented as early as February 2026 with ClawJacked (OpenClaw) and in subsequent disclosures involving MCP-based runtimes. AutoJack, as reported, follows the same pattern: a browser permits a WebSocket connection to localhost, the AI agent follows the page, and the attacker uses the open connection to reach an unprotected local service. The pattern is credible; the specific AutoJack technical details remain single-sourced and unconfirmed by the vendor.

vendor advisories or security bulletins from AutoGen Studio and Microsoft; any CVE assignment tied to the described MCP WebSocket interface; and mitigation guidance such as WebSocket authentication requirements, binding restrictions, or agent sandboxing. The absence of an official disclosure at time of publication means details should be treated as preliminary.

Audit local interfaces (WebSocket, REST) exposed to or reachable by autonomous browsing agents. Apply least-privilege network policies so agents cannot contact arbitrary localhost ports. Subscribe to AutoGen Studio's GitHub security advisories for any patch or advisory. These recommendations reflect general agent-security hygiene and the documented attack class, not a confirmed AutoJack-specific advisory.