Researchers have disclosed a critical three-vulnerability exploit chain, dubbed AutoJack, that allows a single malicious web page to hijack Microsoft’s AutoGen Studio browsing agent and execute arbitrary code on the host machine — without any user interaction beyond submitting a URL. The findings, reported to Microsoft’s Security Response Center and addressed in commit b047730, expose a new and alarming attack surface unique to the era of agentic AI systems.
What Is AutoGen Studio?
AutoGen Studio is Microsoft Research’s open-source prototyping UI for multi-agent AI systems. Developers use it to build, test, and deploy AI agents that can browse the web, summarize content, and execute complex multi-step tasks. The product is commonly run locally on localhost:8081 alongside browsing agents such as MultimodalWebSurfer.
The AutoJack Exploit Chain
AutoJack chains three independent weaknesses in AutoGen Studio’s Model Context Protocol (MCP) WebSocket surface:
- CWE-1385 — Missing Origin Validation in WebSockets: The MCP WebSocket only accepts connections from
http://127.0.0.1orhttp://localhost. While this blocks a human browser tab on a malicious domain, it does not block JavaScript rendered by a headless browser owned by an AutoGen browsing agent — which inherits localhost identity, bypassing the check entirely. - CWE-306 — Missing Authentication for Critical Function: AutoGen Studio’s authentication middleware explicitly skipped
/api/mcp/*paths, assuming the WebSocket handler would enforce its own checks. It never did. As a result, the MCP WebSocket accepted unauthenticated connections regardless of the auth mode configured for the rest of the application. - CWE-78 — OS Command Injection via server_params: The WebSocket endpoint accepted a
server_paramsquery parameter, base64-decoded it into a JSON blob, and passedcommandplusargsdirectly tostdio_client(). With no executable allowlist in place, an attacker could supplypowershell.exeorbash -cpayloads as the “MCP server.”
How the Attack Unfolds
The end-to-end attack flow is alarmingly simple. A developer runs AutoGen Studio on localhost alongside a browsing agent. An attacker plants a malicious page or tricks the user into submitting an attacker-controlled URL. The headless browser navigates to the page, and its JavaScript opens a WebSocket to ws://localhost:8081/api/mcp/ws/<id>?server_params=<base64_payload>.
Because the browsing agent runs locally, the origin check passes. Because the auth middleware skips /api/mcp/*, no token is required. AutoGen Studio decodes the payload and spawns the attacker-specified command under the developer’s account. In proof-of-concept testing, calc.exe launched on the developer’s desktop within seconds of the agent rendering the malicious page — initiated by the AutoGen Studio process itself, not the browser.
Impact and Scope
The implications are severe. Any developer running AutoGen Studio locally alongside a web-browsing agent is potentially vulnerable to remote code execution simply by having their AI agent visit a malicious URL. The attacker does not need to compromise the user’s machine first, exploit a browser vulnerability, or trick the user into downloading a file. A single page visit is sufficient to achieve full RCE at the developer’s privilege level.
Importantly, Microsoft confirmed that the vulnerable MCP WebSocket surface was never included in any PyPI release, meaning developers who installed AutoGen Studio via pip install autogenstudio are not exposed to this specific chain. The vulnerability only affected installations built from the main branch prior to the fix.
Patches and Mitigations
Microsoft addressed all three vulnerabilities in commit b047730 (version 0.7.2) on the main branch:
- Server-side parameter binding —
server_paramsis no longer accepted via URL query strings; parameters are stored server-side and keyed by UUID. - Auth skip list tightened —
/api/mcpno longer bypasses authentication middleware; all MCP routes now flow through standard auth.
Broader Lessons for AI Agent Security
AutoJack illustrates a new class of vulnerability that emerges when AI agents are given the ability to browse untrusted content while also communicating with privileged local services. The local environment can no longer be treated as a secure boundary when an agent can render arbitrary web content.
- Treat any tool parameter reachable from model output as attacker-controlled input.
- Never bind sensitive control planes to localhost without authentication.
- Allowlist executables that may be invoked as MCP servers.
- Isolate agent identity from developer identity using containers, separate OS users, or virtual machines.
- Audit all agentic frameworks for trust boundaries between web browsing and local service communication.
As AI agents become more deeply integrated into developer workflows, the attack surface expands accordingly. AutoJack is unlikely to be the last exploit chain of this kind — and defenders must begin treating agent-accessible local services with the same rigor as internet-facing infrastructure.