AutoJack: one malicious web page can hijack an AI browser agent into full RCE via a privileged local service
AutoJack is a vulnerability in Microsoft Research's AutoGen Studio AI browsing agent framework that allows a malicious web page to hijack the AI agent and achieve full remote code execution (RCE) on the host machine via a privileged local service. The issue arises from a combination of trusting localhost connections, lack of authentication on a WebSocket endpoint, and executing commands directly from requests. The vulnerability affects two pre-release versions of AutoGen Studio (0.4.3.dev1 and 0.4.3.dev2) but not the stable release 0.4.2.2. A fix has been committed to the GitHub main branch but has not yet been released on PyPI. Until an official release is available, users should avoid running AutoGen Studio alongside browsing agents on the same machine or isolate them in containers or VMs.
AI Analysis
Technical Summary
AutoJack is an exploit chain targeting the AutoGen Studio open-source AI multi-agent framework by Microsoft Research. It leverages three weaknesses in the Model Context Protocol (MCP) WebSocket handler: (1) trusting localhost connections, which allows an AI browsing agent running locally to bypass origin checks; (2) missing authentication on the MCP WebSocket endpoint, permitting unauthenticated command execution; and (3) executing commands directly from request parameters without allowlisting. This enables a malicious web page loaded by the AI agent to run arbitrary commands on the host with the privileges of the AutoGen Studio process. The vulnerability was present in two pre-release PyPI builds (0.4.3.dev1 and 0.4.3.dev2) but not in the stable 0.4.2.2 release. Microsoft researchers reported the issue, and the maintainers hardened the main branch with commit b047730, introducing server-side parameter storage with one-time session IDs and enforcing authentication on MCP routes. No exploitation in the wild has been reported. Users who installed vulnerable pre-releases should update to the fixed GitHub main branch or isolate affected components until an official patch is released.
Potential Impact
Successful exploitation allows an attacker controlling a malicious web page to hijack an AI browsing agent running locally and execute arbitrary code on the host system with the privileges of the AutoGen Studio process. This occurs without requiring credentials, user interaction beyond loading the page, or sign-in prompts. The attacker can spawn processes on the host, potentially leading to full remote code execution and system compromise. The vulnerability is limited to environments where the vulnerable pre-release versions of AutoGen Studio are installed and the AI agent and AutoGen Studio share the same localhost context.
Mitigation Recommendations
A fix is available in the AutoGen Studio GitHub main branch as of commit b047730, which hardens the MCP WebSocket handler by enforcing authentication and removing direct command execution from request parameters. However, this fix has not yet been released on PyPI. Users who installed the stable release 0.4.2.2 are not affected. Those who installed vulnerable pre-release versions (0.4.3.dev1 or 0.4.3.dev2) should update by pulling the fixed code from GitHub main at or after commit b047730. Until an official patched release is published, users should avoid running AutoGen Studio on the same machine as any browsing or code-execution agent that processes untrusted content. If co-location is necessary, isolate the components in separate containers or virtual machines and run AutoGen Studio under a low-privilege account to reduce risk.
AutoJack: one malicious web page can hijack an AI browser agent into full RCE via a privileged local service
Description
AutoJack is a vulnerability in Microsoft Research's AutoGen Studio AI browsing agent framework that allows a malicious web page to hijack the AI agent and achieve full remote code execution (RCE) on the host machine via a privileged local service. The issue arises from a combination of trusting localhost connections, lack of authentication on a WebSocket endpoint, and executing commands directly from requests. The vulnerability affects two pre-release versions of AutoGen Studio (0.4.3.dev1 and 0.4.3.dev2) but not the stable release 0.4.2.2. A fix has been committed to the GitHub main branch but has not yet been released on PyPI. Until an official release is available, users should avoid running AutoGen Studio alongside browsing agents on the same machine or isolate them in containers or VMs.
Reddit Discussion
This is the kind of thing that keeps me up at night about the whole AI agent gold rush. The chain lets a single malicious page hijack a browsing agent and reach a privileged local service for full RCE. No creds, no extra clicks once the agent loads the page.
We spent twenty years drilling "don't trust the web page" into browsers, and now we hand an autonomous agent the keys and let it wander attacker-controlled content on its own. Prompt injection stops being a chatbot party trick and becomes a code execution problem the moment the agent can touch anything local.
Detection side is the part I actually care about: anything that watches what a privileged local service is being asked to do, and treats agent-originated requests as untrusted by default, seems like the only sane posture here.
https://thehackernews.com/2026/06/autojack-attack-lets-one-web-page.html
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
AutoJack is an exploit chain targeting the AutoGen Studio open-source AI multi-agent framework by Microsoft Research. It leverages three weaknesses in the Model Context Protocol (MCP) WebSocket handler: (1) trusting localhost connections, which allows an AI browsing agent running locally to bypass origin checks; (2) missing authentication on the MCP WebSocket endpoint, permitting unauthenticated command execution; and (3) executing commands directly from request parameters without allowlisting. This enables a malicious web page loaded by the AI agent to run arbitrary commands on the host with the privileges of the AutoGen Studio process. The vulnerability was present in two pre-release PyPI builds (0.4.3.dev1 and 0.4.3.dev2) but not in the stable 0.4.2.2 release. Microsoft researchers reported the issue, and the maintainers hardened the main branch with commit b047730, introducing server-side parameter storage with one-time session IDs and enforcing authentication on MCP routes. No exploitation in the wild has been reported. Users who installed vulnerable pre-releases should update to the fixed GitHub main branch or isolate affected components until an official patch is released.
Potential Impact
Successful exploitation allows an attacker controlling a malicious web page to hijack an AI browsing agent running locally and execute arbitrary code on the host system with the privileges of the AutoGen Studio process. This occurs without requiring credentials, user interaction beyond loading the page, or sign-in prompts. The attacker can spawn processes on the host, potentially leading to full remote code execution and system compromise. The vulnerability is limited to environments where the vulnerable pre-release versions of AutoGen Studio are installed and the AI agent and AutoGen Studio share the same localhost context.
Mitigation Recommendations
A fix is available in the AutoGen Studio GitHub main branch as of commit b047730, which hardens the MCP WebSocket handler by enforcing authentication and removing direct command execution from request parameters. However, this fix has not yet been released on PyPI. Users who installed the stable release 0.4.2.2 are not affected. Those who installed vulnerable pre-release versions (0.4.3.dev1 or 0.4.3.dev2) should update by pulling the fixed code from GitHub main at or after commit b047730. Until an official patched release is published, users should avoid running AutoGen Studio on the same machine as any browsing or code-execution agent that processes untrusted content. If co-location is necessary, isolate the components in separate containers or virtual machines and run AutoGen Studio under a low-privilege account to reduce risk.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:rce","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["rce"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a36bb1f49568db4e2fc4c83
Added to database: 6/20/2026, 4:09:03 PM
Last enriched: 6/20/2026, 4:09:13 PM
Last updated: 6/20/2026, 6:36:36 PM
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.