What happened
Microsoft disclosed on June 18, 2026 an exploit chain dubbed AutoJack found in AutoGen Studio's development branch. A malicious webpage rendered by a browsing agent opens a WebSocket to the local MCP server, bypasses origin validation and authentication, and executes arbitrary OS commands — achieving RCE on the host without any user interaction beyond submitting a URL. Fixed in commit b047730 / version 0.7.2.
Why it matters
AutoJack demonstrates a new attack class: localhost ceases to be a trust boundary when an AI agent browses the open web AND communicates with privileged local services. This pattern affects any AI agent framework with a local MCP WebSocket, making it a template threat for the entire agentic AI ecosystem.
Applicability
Any team running AutoGen Studio must upgrade to ≥0.7.2 immediately; security architects designing AI agent frameworks must enforce authentication and origin validation on all local MCP endpoints.