What happened
Microsoft disclosed on June 18, 2026 an exploit chain (AutoJack) found in AutoGen Studio's development branch: a malicious webpage rendered by a browsing AI agent can open a WebSocket to ws://localhost:8081/api/mcp/ws/, cross the localhost trust boundary, and spawn arbitrary processes on the host machine — achieving RCE without any user interaction beyond the agent visiting the page. The vulnerable surface was hardened before reaching a PyPI release. Microsoft's disclosure documents the attack class systemically: any agent framework that (a) browses untrusted web content and (b) exposes privileged localhost services is structurally vulnerable.
Why it matters
AutoJack defines a novel, broadly applicable attack class — not just an AutoGen bug. Any AI browsing agent paired with a local MCP server or developer tooling (VS Code extensions, local LLM endpoints, etc.) shares this risk. The localhost trust assumption underpinning most developer-side AI tooling is now explicitly broken.
Applicability
All teams running AI browsing agents (AutoGen, LangGraph, CrewAI, custom) alongside local MCP servers or privileged localhost services should immediately audit their network isolation. Framework developers must add authentication and origin validation to all localhost WebSocket endpoints.