◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-06-22

AutoJack — Malicious Webpage Hijacks AutoGen Studio Browsing Agent via MCP WebSocket for Host RCE

VulnerabilityHigh impactGlobal
What happened
Microsoft's Defender Security Research Team disclosed on June 18, 2026 an exploit chain dubbed AutoJack in AutoGen Studio's development branch. A malicious webpage rendered by a local AI browsing agent (e.g. MultimodalWebSurfer) opens a WebSocket to ws://localhost:8081/api/mcp/ws/, bypasses origin validation and authentication, and sends OS-command payloads that AutoGen Studio's MCP handler executes with the permissions of the host process. The three chained weaknesses are: (1) missing origin validation on the MCP WebSocket endpoint, (2) no authentication on the WebSocket handler, and (3) unsanitised command execution in the MCP tool dispatcher. The vulnerable surface was present in pre-release builds 0.4.3.dev1 and 0.4.3.dev2 uploaded to PyPI; the stable release (0.4.2.2) was not affected. Microsoft hardened the code before any stable release shipped, but the two dev builds remain on PyPI.
Why it matters
This is a novel agentic attack class: an attacker only needs to get an AI browsing agent to visit a URL (via a planted link, prompt injection, or a direct URL submission in the UI), and the page's JavaScript can then reach the privileged local MCP control plane and spawn arbitrary processes on the developer's or server's host. It demonstrates that localhost is not a trust boundary when an AI agent can browse untrusted web content and the same host exposes a privileged local service. The blast radius covers any developer or CI environment running the affected dev builds with a browsing agent.
Attack vector
Attacker induces a local AI browsing agent to visit a malicious webpage; the page's JavaScript opens an unauthenticated WebSocket to localhost:8081/api/mcp/ws/, sends a crafted MCP command, and the server executes it as an OS process on the host
Affected systems
AutoGen Studio 0.4.3.dev1 and 0.4.3.dev2 (pre-release PyPI builds); stable 0.4.2.2 is not affected
Mitigation
Uninstall/avoid 0.4.3.dev1 and 0.4.3.dev2; pin to stable release 0.4.2.2 (no MCP WebSocket route). Harden any MCP WebSocket surface with origin validation and authentication. See Microsoft Security Blog: https://www.microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent
Sources
Microsoft Security Blog — AutoJack disclosure (June 18, 2026)CyberSecurityNews — AutoJack (June 20, 2026)The Hacker News — AutoJack Attack Lets One Web Page Hijack AI Agent
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →