CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 20, 2026

AutoJack – A Single Web Page Can Hijack Your AI Agent to Execute Malicious Code

Cybersecurity News Archived Jun 20, 2026 ✓ Full text saved

A critical exploit chain dubbed AutoJack that allows a single malicious web page to hijack Microsoft’s AutoGen Studio browsing agent and execute arbitrary code on the host machine without any user interaction beyond submitting a URL. AutoJack is a three-vulnerability exploit chain targeting AutoGen Studio, Microsoft Research’s open-source prototyping UI for multi-agent AI systems. The […] The post AutoJack – A Single Web Page Can Hijack Your AI Agent to Execute Malicious Code appeared first on C

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security AutoJack – A Single Web Page Can Hijack Your AI Agent to Execute Malicious Code By Guru Baran June 20, 2026 A critical exploit chain dubbed AutoJack that allows a single malicious web page to hijack Microsoft’s AutoGen Studio browsing agent and execute arbitrary code on the host machine without any user interaction beyond submitting a URL. AutoJack is a three-vulnerability exploit chain targeting AutoGen Studio, Microsoft Research’s open-source prototyping UI for multi-agent AI systems. The technique weaponizes the agent’s built-in web-browsing capabilities to cross the localhost trust boundary, turning the AI agent into an unwitting delivery vehicle for remote code execution (RCE). Researchers reported the findings to the Microsoft Security Response Center (MSRC), and the upstream main branch was hardened in commit b047730. Crucially, the vulnerable MCP WebSocket surface was never included in any PyPI release, meaning developers who install AutoGen Studio via pip are not exposed to this specific chain. AutoJack Vulnerability Chain AutoJack chains three independent weaknesses in AutoGen Studio’s Model Context Protocol (MCP) WebSocket surface: CWE-1385 – Missing Origin Validation in WebSockets: The MCP WebSocket only accepts connections from http://127.0.0.1 or http://localhost. While this blocks a human browser tab on evil.com, it does not block JavaScript rendered by a headless browser owned by an AutoGen browsing agent — which inherits localhost identity, bypassing the check entirely. CWE-306 – Missing Authentication for Critical Function: AutoGen Studio’s authentication middleware explicitly skipped /api/mcp/* paths, assuming the WebSocket handler would enforce its own checks. It never did. As a result, the MCP WebSocket accepted unauthenticated connections regardless of the auth mode configured for the rest of the application. CWE-78 – OS Command Injection via server_params: The WebSocket endpoint accepted a server_params query parameter, base64-decoded it into a JSON blob, parsed it into StdioServerParams, and passed command + args directly to stdio_client(). With no executable allowlist in place, an attacker could supply calc.exe, powershell.exe -enc …, or bash -c '...' as the “MCP server.” The end-to-end flow is straightforward. A developer runs AutoGen Studio on localhost:8081 alongside a browsing agent — such as a web summarizer built with MultimodalWebSurfer. An attacker plants a malicious page (or tricks the user into submitting an attacker-controlled URL). The headless browser navigates to the page; its JavaScript opens a WebSocket to ws://localhost:8081/api/mcp/ws/<id>?server_params=<base64_payload>. Because the browsing agent runs locally, the origin check passes; because auth middleware skips /api/mcp/*, no token is required. AutoGen Studio decodes the payload and spawns the attacker-specified command under the developer’s account. In proof-of-concept testing, calc.exe launched on the developer’s desktop within seconds of the agent rendering the malicious page — initiated by the AutoGen Studio process itself, not the browser. Fixes Applied Microsoft’s maintainers addressed all three issues: Server-side parameter binding — server_params is no longer accepted via the URL; parameters are stored server-side and keyed by UUID. Auth skip list tightened — /api/mcp no longer bypasses middleware; all MCP routes now flow through standard authentication. These changes are live on the main branch as of commit b047730 (version 0.7.2). The published PyPI package (autogenstudio 0.4.2.2) was confirmed to contain no mcp.py route file or StdioServerParams references. To defend against AutoJack-style attacks broadly: Treat any tool parameter reachable from model output as attacker-controlled. Never bind sensitive control planes to localhost without authentication — loopback is an attack surface for any agent on that machine. Allowlist executables that may be invoked as MCP servers. Isolate agent identity from developer identity using containers, separate OS users, or VMs. If building from main, use a build at or after commit b047730. AutoJack highlights a concerning risk pattern that is developing across AI agent frameworks. This issue arises when an agent is able to browse untrusted content while also having the ability to communicate with privileged local services. In this case, the local environment can no longer be considered a secure boundary. To effectively mitigate this risk, it is essential to implement consistent control-plane authentication, enforce strict action allowlisting, and ensure identity isolation, regardless of the framework being utilized. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Critical WordPress Plugin Vulnerability Exposes 1 Million Sites to File Deletion Attacks China-Linked Showboat Malware Uses Linux Persistence to Target Telecom Companies SearchJack Campaign Uses 23 Chrome Extensions to Hijack Searches of 758,000 Users Evilginx AiTM Attack Captures Microsoft Credentials, MFA Tokens, and Authenticated Sessions Anthropic Fable 5 and Mythos 5 Access Blocked to All Users Following Government Directive Latest News Chrome Chrome Extensions’ Critical Flaws Let Attackers Easily Compromise Millions of Browsers Press Release Gcore Helps Ucom Safeguard Public Live Broadcast Infrastructure During Armenia’s Parliamentary Elections Cyber Security News Critical WordPress Plugin Vulnerability Exposes 1 Million Sites to File Deletion Attacks Press Release eFAQ Publishes Investigation Into Alleged Scam Activity and Coordinated Reputation Attacks Cyber Security Microsoft June 2026 Update Bug Exposes Recycle Bin Filenames in Deletion Dialog
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 20, 2026
    Archived
    Jun 20, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗