AutoJack: Microsoft Discloses Exploit Chain That Lets a Single Web Page RCE the Host Running an AI Agent
Microsoft Security researchers disclosed AutoJack, an exploit chain targeting AutoGen Studio that allows a malicious web page rendered by an AI agent to execute arbitrary commands on the host via a local MCP WebSocket.
Microsoft Security researchers have disclosed a novel exploit chain dubbed AutoJack that targets AutoGen Studio, Microsoft's open-source prototyping interface for AI agent frameworks. The attack demonstrates how a single malicious web page rendered by a browsing agent can reach a local Model Context Protocol (MCP) WebSocket and spawn arbitrary processes on the host machine, effectively crossing the localhost trust boundary that many developer tools implicitly rely upon.
The exploit chain, detailed in a June 18 blog post by the Microsoft Security Response Center (MSRC), composes three independent weaknesses in AutoGen Studio's MCP WebSocket surface. The first issue (CWE-1385) is an origin allowlist that trusts only http://127.0.0.1 or http://localhost — a defense that blocks a browser pointed at evil.com but fails when the request originates from JavaScript rendered by a headless browser owned by an AutoGen agent running on the same machine. The second weakness (CWE-306) is an authentication middleware that explicitly skips /api/mcp/* paths, assuming those endpoints would implement their own checks — but the MCP WebSocket handler never did. The third flaw (CWE-78) allows the server_params query parameter to be base64-decoded into StdioServerParams and executed verbatim, with no allowlist restricting commands like calc.exe, powershell.exe -enc ..., or bash -c '...'.
When chained together, these vulnerabilities enable a remote code execution primitive that requires no user interaction beyond getting the agent to render the attacker's page. The attacker-controlled webpage opens a WebSocket to ws://localhost:8081/api/mcp/ws/?server_params=..., and AutoGen Studio decodes the payload and spawns the attacker-supplied command under the developer's account. Microsoft named the technique AutoJack because the attacker "carjacks" the browsing agent and uses it as a confused deputy to drive across the localhost boundary into AutoGen Studio's MCP control plane.
Microsoft reported the behavior to the MSRC, and the maintainers hardened the upstream main branch in commit b047730. Importantly, the affected MCP WebSocket surface was never included in a Python Package Index (PyPI) release, so users who install AutoGen Studio from PyPI are not exposed to this specific chain. The researchers emphasized that the broader lesson applies to all agent frameworks: if an agent can browse untrusted pages and also talk to privileged local services, loopback can become an attack surface, and control planes must be authenticated, authorized, and isolated.
AutoGen Studio is a user interface on top of AutoGen, Microsoft Research's framework for multi-agent systems. It lets developers compose agents, attach tools (including MCP servers), and run quick experiments. Its documentation is clear about intended use as a research prototype with expected developer-experience tradeoffs — defaults tuned for ease of iteration rather than hardened deployment. This finding underscores the systemic execution risks in frameworks that wire models to tools, following earlier research from Microsoft covering RCE primitives in Semantic Kernel.
The disclosure comes amid growing attention to security in AI agent frameworks. As agents gain capabilities to read files, browse pages, call APIs, and shell out to tools, the attack surface expands correspondingly. Microsoft Defender detections have been updated to help secure agentic systems, and the company continues to invest in finding and mitigating such risks across the broader agent ecosystem.