On the point: Web-enabled AI agents can compromise privileged local services through faulty local security boundaries (localhost-trust-boundary), enabling host-level RCE.
Microsoft has documented a new attack chain against web-capable AI agents, the so-called “AutoJack” method, which leads through browsing agents in AutoGen Studio to arbitrary code execution on the host system. The vulnerability was already fixed before public release and only affected developer builds.
Attack mechanism
Microsoft researchers demonstrated against AutoGen Studio, an open-source framework for multi-agent systems, how a malicious website accessed by a browsing agent can access a locally available Model Context Protocol (MCP) service and execute arbitrary processes on the host. The technique was called “AutoJack” because it hijacks a web-accessing agent and misuses its local privileges to circumvent localhost security boundaries.
The three chained vulnerabilities
The attack exploited three separate flaws in AutoGen Studio’s MCP-WebSocket implementation. First: an origin allowlist was meant to restrict connections to localhost, but a locally executed browsing agent inherits the localhost identity, allowing malicious JavaScript to bypass the check. Second: the authentication logic excluded MCP-WebSocket paths from normal authentication checks and left their verification to the MCP endpoint itself — but this endpoint never performed the checks. Third and most dangerous: the MCP endpoint accepted a “server_params” value directly in the URL, decoded it, and passed it unchecked to the process-spawning mechanism. Since no whitelist restricted which commands could be executed, attackers could launch arbitrary commands like PowerShell or Bash.
Impact and remediation
The vulnerable code existed only in developer builds with MCP support and was never distributed via PyPI. Users who installed AutoGen Studio via PyPI were not at risk. For users with builds from source code, the URL-based parameter injection was removed, MCP paths were routed into normal authentication flows, and server-side parameter processing via session IDs was implemented.
Significance for agent frameworks in general
Microsoft emphasizes that the AutoJack pattern extends beyond AutoGen and could affect a broader class of agentic frameworks. The core problem — a local agent accessing external websites while simultaneously communicating with privileged local services — represents a recurring risk. The company is tracking these findings as part of its active research into security risks that arise when AI models are connected to tools, browsers, code interpreters, and local services.
Source: www.csoonline.com · Published June 19, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.