AutoJack: How a single page can RCE the host running your AI agent
ID: 42464d4d-125d-5ae6-9ac7-ab66698b4afd
STIX ID: report--42464d4d-125d-5ae6-9ac7-ab66698b4afd
Feed Name: Microsoft Security
Date Published: 2026-06-19
Date Updated: 2026-06-19
Author: Microsoft Defender Security Research Team
Microsoft Defender Security Research describes “AutoJack”: a chained vulnerability in AutoGen Studio where an attacker-controlled webpage rendered by a local browsing agent can open a localhost MCP WebSocket and cause the application to spawn arbitrary processes (remote code execution). The chain combined an origin-allowlist bypass for agent-driven browsers, auth middleware skipping MCP paths, and direct execution of base64-encoded server_params; the issue was fixed on main before any PyPI release and the report includes hardening guidance and Defender hunting queries.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
