**Microsoft** researchers have detailed an exploit chain, named **AutoJack**, that turns an AI browsing agent into a delivery vehicle for remote code execution. The exploit allows an attacker to steer the agent to load a malicious web page. This page's JavaScript can then reach a privileged local service on the same machine and spawn a process on the host. Crucially, this attack requires no credentials, sign-in screens, or further user interaction once the agent loads the page. The attacker only needs to get the agent to open the page, which can be achieved via a planted link, a URL field, or a prompt injection. ### The Vulnerable Component: AutoGen Studio The flaw resides in **AutoGen Studio**, the open-source prototyping interface for **Microsoft Research**'s **AutoGen** multi-agent framework. It's important to note that this is not a bug affecting all installations of the package. A standard `pip install autogenstudio` command pulls the current stable release, 0.4.2.2, which **Microsoft** inspected and confirmed has no **Model Context Protocol (MCP)** route at all. **Microsoft** stated that the vulnerable **MCP WebSocket** surface "was never included in a PyPI release" for the stable build. However, the vulnerable handler *did* ship to PyPI in two pre-release builds: 0.4.3.dev1 and 0.4.3.dev2. Both of these builds, inspected by The Hacker News, contain the **MCP WebSocket** route, where the handler takes commands directly from requests without authenticating the caller. Neither of these pre-release builds has been removed. Users who installed these pre-releases (typically by passing `--pre` or pinning the version) were exposed. A plain `pip install` would not have installed these pre-releases. A fixed code commit (**b047730**) is available on **GitHub**'s main branch, but this hardening has not yet been incorporated into a **PyPI** release. ### How the AutoJack Chain Works **AutoJack** exploits three weaknesses within the **MCP WebSocket**:  1. **Bypassed Localhost Check**: The socket trusted localhost, a check intended to block a normal browser pointing to a malicious site. However, a browsing agent running on the same machine is considered localhost. This allows any content it loads to inherit that localhost identity and pass the check. 2. **Authentication Middleware Skipped**: The authentication middleware skipped **MCP** paths, assuming the handler would verify tokens itself. This verification never occurred, allowing the socket to accept unauthenticated connections regardless of the configured authentication mode. 3. **Unrestricted Command Execution**: The endpoint directly took a command from a request parameter and executed it, without any allowlist to restrict which executables could be launched. Together, these weaknesses enable a page on the open internet, rendered by a local agent, to execute an attacker-chosen command under the account running **AutoGen Studio**. **Microsoft** describes this as research, with no reported exploitation in the wild. A proof-of-concept demonstrated using a "Web Content Summarizer" agent to launch `calc.exe` on the developer's desktop when fed an attacker's URL.  **Microsoft** reported the behavior to the **Microsoft Security Response Center (MSRC)**. The maintainers have since hardened the main branch in commit **b047730** (**PR #7362**). The fixed handler no longer reads commands directly from the URL; parameters are now stored server-side behind a one-time session ID, and unknown IDs are refused. Additionally, **MCP** routes now pass through the normal authentication path. This hardening is currently only in the **GitHub** source, not yet in a **PyPI** release. ### What to Do * **If you installed the stable release (0.4.2.2)** via `pip install autogenstudio`, you are not affected, as this version lacks the **MCP** route. * **If you installed a pre-release (0.4.3.dev1 or 0.4.3.dev2)**, you have the vulnerable handler. There is no patched **PyPI** build available yet. Your immediate action should be to pull from **GitHub** main at or after commit **b047730**. * **Mitigation Strategy**: Until a patched **PyPI** release is available, separate the components the attack needs. Avoid running **AutoGen Studio** on the same machine as a browsing or code-execution agent that interacts with untrusted content. The exploit only works when both share the same localhost. If they must run together, isolate them in separate containers or VMs and run **AutoGen Studio** under a low-privilege account. ### Broader Implications The **AutoGen Studio** bugs are patched in the source, but the underlying pattern of vulnerabilities persists. **Microsoft** anticipates similar weaknesses in other agent frameworks: a local service with excessive privileges, a localhost check mistakenly treated as a security boundary, and an agent that opens untrusted pages. This pattern has been observed recently, including in **ChatGPhish**, where **ChatGPT**'s page summaries were leveraged for phishing. **Microsoft** also highlighted a similar localhost argument in its **Semantic Kernel RCE** research, tracked as **CVE-2026-26030** and **CVE-2026-25592**. Moving forward, relying solely on a localhost check is insufficient. It is critical to authenticate the control plane, implement an allowlist for process execution, and assign agents an identity distinct from the developer's own session. When an agent can browse the open web and access privileged local services, localhost can no longer be considered a secure trust boundary.