Microsoft patches AutoJack vulnerability that let malicious webpages hijack AI agents for code execution

Reviewed byNidhi Govil

3 Sources

Share

Microsoft disclosed AutoJack, a vulnerability chain in AutoGen Studio that allowed attackers to manipulate AI agents into executing arbitrary commands simply by visiting a malicious webpage. The flaw chained three weaknesses in the localhost trust boundary, authentication, and command execution, but was patched before reaching most users.

AutoJack Vulnerability Turns AI Agents Into Attack Vectors

Microsoft's Defender Security Research Team has disclosed a critical vulnerability chain dubbed AutoJack that affects AutoGen Studio, the graphical interface for building multi-agent AI systems . The AutoJack vulnerability allowed attackers to hijack AI agents and achieve remote code execution payloads on host systems simply by directing an agent to visit a malicious webpage

2

. AutoGen Studio, part of Microsoft's open-source AutoGen framework with more than 59,000 stars on GitHub, enables developers to create AI agents that can collaborate, browse the web, execute code, and interact with APIs

1

.

Source: Hacker News

Source: Hacker News

Three Weaknesses Chained for Arbitrary Code Execution

The AutoJack attack exploits three separate flaws in AutoGen Studio's Model Context Protocol (MCP) WebSocket implementation

3

. First, the WebSocket trusted localhost connections, a check designed to block external browsers but ineffective against browsing agents running on the same machine

2

. Second, authentication middleware skipped MCP paths entirely, assuming the handler would verify tokens itself—which it never did

2

. Third, the endpoint accepted commands directly from request parameters and executed them without any allowlist restrictions

2

. When chained together, these weaknesses enabled a malicious webpage attack where JavaScript on an attacker-controlled page could open a WebSocket connection to AutoGen Studio's local MCP endpoint and instruct it to launch arbitrary code execution with the developer's account privileges

1

.

Limited Exposure to GitHub Developers Only

Microsoft emphasized that the vulnerability in AI agent framework had minimal real-world impact because it was identified and remediated during development

1

. Users installing AutoGen Studio from PyPI were never exposed to the affected code, as the current stable package autogenstudio 0.4.2.2 does not contain the AutoJack weaknesses

1

. However, investigation revealed that two pre-release builds—0.4.3.dev1 and 0.4.3.dev2—shipped to PyPI with the vulnerable MCP WebSocket route intact

2

. Only developers who built AutoGen Studio directly from the main GitHub branch during a limited window before commit b047730 or explicitly installed pre-release versions were impacted

1

.

Proof-of-Concept Demonstrates Real Attack Scenario

In a realistic proof-of-concept demonstration, Microsoft researchers created a "Web Content Summarizer" agent scenario

2

. When the AI agent was directed to summarize content from an attacker-controlled URL, malicious JavaScript executed on the page and launched Windows Calculator on the developer's desktop

1

. The attack required no credentials, no sign-in screen, and no further user interaction once the agent loaded the page

2

. Microsoft reported no exploitation in the wild and described this as research rather than an active campaign

2

.

Source: TechRadar

Source: TechRadar

Hardening Measures and AI Agent Security Recommendations

The AutoGen team addressed the vulnerability through commit b047730 (PR #7362), implementing several hardening measures

2

. The fixed handler no longer reads commands from URL parameters; instead, parameters are stored server-side behind a one-time session ID, and unknown IDs are refused

2

. MCP routes now run through the normal authentication path, closing the authentication bypass

2

. Microsoft recommends deploying AutoGen Studio strictly as a developer prototype in a sandboxed environment not exposed to the internet

1

. The company advises against running the project with AI agents capable of browsing or executing arbitrary code on machines with untrusted content

1

. "Run AutoGen Studio under a low-privilege account in a sandboxed user profile or container so that any future agent-driven RCE is contained to a dev profile, not your daily-driver account," Microsoft advises

1

.

Source: BleepingComputer

Source: BleepingComputer

Broader Implications for AI Agent Frameworks

Microsoft expects similar attack patterns to emerge in other agent frameworks, warning that "a local service with too much power, a localhost check treated as security, and an agent that opens untrusted pages" creates a dangerous combination

2

. The research follows similar localhost-based vulnerabilities Microsoft identified in ChatGPhish last month and in its Semantic Kernel RCE research, tracked as CVE-2026-26030 and CVE-2026-25592

2

. "If an agent can browse untrusted pages and also talk to privileged local services, loopback can become an attack surface and control planes must be authenticated, authorized, and isolated," Microsoft concluded

3

. The disclosure highlights the need for strict authentication and isolation of local control planes as AI agents become more capable of interacting with the open web and executing code.

Today's Top Stories

© 2026 TheOutpost.AI All rights reserved