AutoJack Turns AI Browsing Agents Into Zero-Click RCE Vectors

Microsoft's Defender Security Research Team disclosed AutoJack on June 18, a chained exploit that turns web-browsing AI agents into remote code execution vectors. A developer browsing a malicious webpage while running AutoGen Studio on localhost can have their machine completely compromised—no credentials required.

The attack targets AutoGen Studio, Microsoft's graphical interface for the AutoGen agentic AI framework. While stable releases remain unaffected, two pre-release builds on PyPI shipped vulnerable code that remains available for download.

Three Weaknesses, One Exploit Chain

AutoJack chains three separate flaws in the MCP (Model Context Protocol) WebSocket handler to achieve unauthenticated command execution:

Localhost Trust Bypass: The MCP WebSocket accepted all connections appearing to originate from localhost. When AI browsing agents render attacker-controlled content, they run locally—passing origin checks that should reject external requests.

Authentication Middleware Gap: Microsoft's security blog noted that "the authentication middleware skipped MCP paths on the assumption that the handler would verify tokens itself. It never did." This left the WebSocket endpoint completely exposed once origin checks passed.

Direct Command Injection: The vulnerable endpoint accepted base64-encoded parameters and passed them directly to process-launching code. Attackers could trigger arbitrary PowerShell, Bash, or executable execution without any sanitization.

This pattern mirrors what we saw earlier this month with Agentjacking, where researchers demonstrated MCP injection attacks against AI coding assistants through Sentry error events. Both attacks exploit the fundamental disconnect between how AI agents trust external data and how security boundaries should actually work.

Proof-of-Concept: Calculator to Catastrophe

Microsoft demonstrated the attack using a simple "Web Content Summarizer" agent configured to analyze URLs. When directed to a malicious page, the agent fetched attacker-controlled content, processed it through the vulnerable MCP WebSocket, and spawned calc.exe on the developer's machine—a classic proof-of-concept demonstrating arbitrary code execution.

In practice, attackers could deploy cryptocurrency miners, steal environment variables and Git credentials, or establish persistent access to the compromised development machine. The attack requires no interaction beyond visiting a webpage while AutoGen Studio runs in the background.

Which Versions Are Affected

The vulnerability's blast radius is narrower than typical framework flaws:

Build Type	Version	Status
Stable Release	0.4.2.2	Not affected
Pre-release	0.4.3.dev1	Vulnerable (on PyPI)
Pre-release	0.4.3.dev2	Vulnerable (on PyPI)
GitHub main	Before commit b047730	Vulnerable
GitHub main	After commit b047730	Patched

Microsoft emphasized that "the vulnerable MCP WebSocket surface was never included in a PyPI release"—referring to stable releases. However, developers who installed pre-release builds or built from the main branch during the vulnerable window should verify their installations.

The stable 0.4.2.2 release uses a different communication protocol that already enforced origin checks and never exposed the vulnerable code path. The problematic MCP handler only shipped in development builds.

The Fix

PR #7362 at commit b047730 addresses all three weaknesses:

• Parameters are now stored server-side with one-time session IDs rather than passed inline
• MCP routes are integrated into normal authentication paths
• Only requests from the same localhost origin (e.g., http://localhost:5000) are accepted
• The message parser restricts input to a whitelist of safe commands

No stable release containing the fix has shipped yet, but developers building from source can pull the latest main branch.

Why This Matters for AI Development

AutoJack demonstrates a growing class of vulnerabilities where AI agent capabilities become attack vectors. When frameworks expose tools for file access, code execution, or network requests, prompt injection and MCP manipulation can escalate from data theft to full system compromise.

This continues a troubling pattern in AI framework security. The Splunk AI Toolkit command injection we covered last week showed similar issues—authenticated users achieving arbitrary code execution through AI components that handle external input insecurely.

Microsoft's own security blog on prompt-to-shell RCE published last month documented related vulnerabilities in Semantic Kernel (CVE-2026-26030 and CVE-2026-25592), reinforcing that agentic AI frameworks require the same security scrutiny as traditional web applications.

Recommendations

Microsoft recommends deploying AutoGen Studio "strictly as a developer prototype in an isolated environment" not exposed to the internet. For organizations experimenting with AI agents, additional precautions apply:

1. Audit pre-release installations: Check if you installed autogen-studio versions 0.4.3.dev1 or 0.4.3.dev2 via pip
2. Update from source: Pull the latest main branch containing the security fixes
3. Isolate AI development: Run AI agent frameworks in VMs or containers with restricted network access
4. Monitor for tool abuse: AI agents shouldn't need to spawn arbitrary processes—alert on unexpected execution patterns
5. Treat agent output as untrusted: Any data flowing through AI agents could contain injected commands

The broader lesson echoes what security researchers have warned about throughout 2026: AI agents that can browse, execute, and interact aren't just productivity tools. They're attack surfaces that grow with every capability you add.