What is AutoJack and which software does it affect?

AutoJack is a three-vulnerability chain in Microsoft AutoGen Studio's Model Context Protocol WebSocket surface. It allows a malicious webpage, when visited by an AutoGen browsing agent, to execute arbitrary commands on the host machine. The vulnerability affected developers building AutoGen Studio from GitHub source before commit b047730. The published PyPI package (autogenstudio) did not contain the vulnerable code.

Do I need to update my AutoGen Studio installation?

If you installed AutoGen Studio from PyPI (pip install autogenstudio), you were not exposed to AutoJack — the published package did not include the vulnerable code paths. If you built from the GitHub source repository before the fix landed in commit b047730, you should update to the current HEAD or switch to the stable PyPI release. Check whether your configuration includes a browsing agent; the browsing capability is the trigger for the exploit chain.

Why are AI browsing agents a different security concern from standard web browsers?

Standard browsers enforce same-origin policy but connect from a remote context. An AI browsing agent running on the same host as a localhost service inherits a localhost origin for any WebSocket connections it initiates — even to malicious pages. Controls that restrict WebSocket access to localhost were never designed to defend against a local client rendering attacker-controlled JavaScript. Any agentic application that browses untrusted content and runs alongside localhost-bound MCP servers or control planes should be reviewed with this pattern in mind.

AutoJack: AutoGen Studio MCP WebSocket Chain Enables Single-Page RCE

A three-vulnerability chain in Microsoft’s AutoGen Studio lets an attacker execute arbitrary commands on the host machine by getting an AI browsing agent to visit a single malicious webpage. Disclosed in a Microsoft Security Blog post on June 18, 2026 and named AutoJack, the chain exploits weaknesses in how AutoGen Studio’s Model Context Protocol WebSocket surface handles origin validation, authentication, and process execution. Developers building AutoGen Studio from GitHub source were exposed; the published PyPI package was not affected.

The Three-Flaw Chain

AutoJack chains three independently mapped weaknesses in AutoGen Studio’s MCP WebSocket implementation. Each weakness has a distinct CWE identifier, and none alone is sufficient for exploitation.

CWE-1385: Missing origin validation in WebSockets. AutoGen Studio’s MCP WebSocket restricted connections to localhost origins, reasonable in isolation because external browsers cannot forge localhost headers. But an AutoGen browsing agent running on the same host is not a remote browser. When the agent visits a malicious webpage, JavaScript on that page establishes a WebSocket connection with a localhost origin, inheriting the local trust context. The origin check passes, and does nothing to prevent the attack.

CWE-306: Missing authentication on critical paths. AutoGen Studio’s authentication middleware explicitly skipped the /api/mcp/* route prefix, on the assumption that the WebSocket handler would enforce access controls. It did not. Any connection reaching the MCP WebSocket endpoint, authenticated or not, could interact with the control plane.

CWE-78: OS command injection via URL parameters. The MCP WebSocket accepted a server_params value base64-encoded in the URL and passed it, without sanitisation or allowlisting, to the process-launching code. An attacker who reaches the endpoint can supply arbitrary values for command, args, and env, specifying which executable runs and with what arguments.

How the Attack Executes

The path from page visit to code execution is compact. An attacker hosts a webpage with a small JavaScript payload that opens a WebSocket to ws://127.0.0.1:[port]/api/mcp/ws?server_params=[base64-payload]. When the AutoGen Studio browsing agent renders the page, that JavaScript runs within the agent’s localhost context. The origin check passes. Authentication is not evaluated on the /api/mcp/* path. The server_params value decodes to an attacker-specified command, and the process launcher runs it with the privileges of the AutoGen Studio process.

One page visit. One WebSocket connection. One command execution on the host. The browsing agent becomes the attack vector against its own operating environment.

Who Was Exposed

Not all AutoGen Studio users were at risk. The vulnerable code existed in the development branch on GitHub during a window before commit b047730. The autogenstudio package published to PyPI (version 0.4.2.2 at the time of disclosure) did not include the AutoJack-vulnerable code paths.

Exposure was limited to developers building from GitHub source, a common pattern in AI framework development where new capabilities ship on the main branch ahead of a formal package release. The browsing agent capability, central to triggering AutoJack, is a specific tool configuration rather than the default setup. Researchers and developers integrating web browsing into AutoGen pipelines are the most directly affected population.

The disclosure is timed about three weeks after the Microsoft Security Blog published the technical writeup on June 18, giving defenders time to patch before the chain received widespread attention.

The Fix

The maintainers addressed all three weaknesses in commit b047730. The server_params field was removed from WebSocket URL parameters entirely. A new POST /api/mcp/ws/connect endpoint now stores connection parameters server-side, keyed by a UUID returned to the caller. The WebSocket connection references that UUID rather than supplying parameters inline, eliminating the injection surface. MCP routes were also moved into the normal authentication middleware path, removing the explicit skip that had left /api/mcp/* open.

The change closes the vulnerability at multiple levels: no attacker-controlled data reaches the process launcher, and MCP routes now require the same credentials as the rest of the application.

The Broader Pattern

AutoJack is a concrete instance of a pattern that will surface again as AI agent capabilities expand. Agents that browse the web acquire the ability to make network connections, including connections to local services on their host. Any localhost service enforcing origin-based access control is implicitly trusting all clients running on that machine, including agents visiting untrusted content.

MCP servers are a high-value target in this pattern. They increasingly surface tool execution and process control to local agents, and many implementations adopt a localhost-only binding as their primary security boundary. Origin validation on a WebSocket was designed to prevent cross-origin requests from remote browsers, not from a local JavaScript runtime rendering attacker-controlled markup.

AutoGen Studio caught this early and fixed it cleanly. Development environments for other frameworks that expose MCP control planes over WebSocket with similar localhost-only assumptions should be reviewed for the same chain: check whether authentication middleware is applied consistently across all routes, whether URL parameters reach any process-execution logic, and whether browsing-capable agents can initiate connections to the same local ports as MCP services.

Treating browsing-capable agents as semi-trusted within local network scope, not as fully trusted members of the host security perimeter, is the principle AutoJack makes concrete.