AutoJack: a browsing agent turns a malicious webpage into host RCE
Microsoft's June 18, 2026 AutoJack research shows a web-browsing AI agent inheriting localhost identity to reach a local MCP WebSocket and spawn arbitrary processes on the host.
What is this?
On June 18, 2026, the Microsoft Defender Security Research Team published AutoJack, an exploit chain in AutoGen Studio — the open-source prototyping UI for Microsoft’s AutoGen multi-agent framework. A single malicious webpage, once rendered by a local browsing agent, can reach a local Model Context Protocol (MCP) WebSocket and spawn arbitrary processes on the host. Microsoft named it AutoJack because the technique “carjacks” the agent and turns it into the attacker’s last-mile delivery vehicle, crossing the localhost trust boundary that countless developer tools quietly depend on. The bug was reported to MSRC and fixed in upstream commit b047730 before any public release — so this is documented as a pattern, not a live 0-day.
How it works
AutoJack composes three independent weaknesses in AutoGen Studio’s MCP WebSocket surface. None is exotic on its own; chained, they produce host code execution.
First, an origin allowlist that the agent itself defeats (CWE-1385, missing origin validation in WebSockets). The MCP WebSocket only accepts connections whose Origin is http://127.0.0.1 or http://localhost. That correctly blocks a human pointing a browser at evil.example. It does not block JavaScript rendered by a headless browser owned by an agent on the same machine — a MultimodalWebSurfer, a Playwright-backed surfer, or any code-execution tool. Anything the agent loads inherits the loopback identity.
Second, authentication is opt-out for MCP paths (CWE-306, missing authentication for a critical function). AutoGen Studio’s auth middleware explicitly skipped /api/mcp/* and /api/ws/*, assuming those handlers would check tokens themselves. The MCP WebSocket handler never did, so it accepted connections with no auth regardless of the configured mode.
Third, server_params from the URL is the command line (CWE-78, OS command injection). The endpoint read a server_params query parameter, base64-decoded a JSON blob into StdioServerParams, and handed command + args straight to stdio_client(). With no executable allowlist, calc.exe, powershell.exe -enc [REDACTED], or bash -c [REDACTED] were all accepted as “MCP servers.”
The end-to-end chain: the user gives a benign-looking “summarize this URL” agent an attacker page; the agent’s headless browser renders it; the page’s JavaScript opens ws://localhost:8081/api/mcp/ws/<id>?server_params=[REDACTED]; because the request originates on-box the origin check passes, because the middleware short-circuits MCP paths no token is required, and AutoGen Studio decodes the payload and spawns the attacker’s command under the developer’s account. This is a textbook confused-deputy problem — no payload is reproduced here because the lesson is structural, not a recipe.
Why it matters
The headline isn’t AutoGen Studio specifically — Microsoft is explicit that the affected route never shipped to PyPI, and the current published package (autogenstudio 0.4.2.2) does not contain it. The headline is the pattern: when an agent on your workstation can both browse untrusted content and talk to privileged local services, localhost stops being a trust boundary. Loopback has long been treated as implicitly trusted — debug endpoints, dev databases, code executors, and MCP control sockets routinely bind to it without auth. An on-box browsing agent dissolves that assumption, because external content now steers a process that already lives inside the trust zone. This is the same structural risk family as the lethal trifecta and localhost agent hijack — the agent is the bridge between untrusted input and privileged capability.
Defenses
The mitigations are concrete and mostly architectural:
- Never bind sensitive control planes to
localhostwithout authentication. MCP control sockets, debug endpoints, code executors, and dev databases on loopback are an attack surface for any agent on the machine, not a safe default. - Allowlist which executables may be launched as MCP servers instead of accepting
command/argsfrom any caller. Microsoft’s fix moved parameters server-side: a separatePOSTstores them keyed by a UUID, and the WebSocket handler refuses unknown IDs. - Put the control plane behind an authenticated reverse proxy that enforces auth on all paths, including WebSocket and
/api/*routes — don’t rely on framework auth modes alone. - Track provenance / use prompt-injection shields to catch the early navigation stage, when attacker content first steers the agent toward a malicious page.
- Lean on EDR behavioral detection. The chain ends with a Python or Node parent spawning an unexpected child process — exactly the pattern endpoint detection is built to flag. Running experimental agent builds in managed or sandboxed workstations contains the blast radius.
Status
| Item | Detail |
|---|---|
| Disclosed | June 18, 2026 (Microsoft Defender Security Research Team) |
| Affected | AutoGen Studio MCP WebSocket route built from main during the pre-release window |
| Not affected | PyPI release autogenstudio 0.4.2.2 (route not present) |
| Fix | Upstream commit b047730; main at version 0.7.2 |
| Class | CWE-1385 + CWE-306 + CWE-78 chained → host RCE |