AutoJack: one web page is enough to hijack an AI agent

What this is about

On 18 June 2026, researchers at Microsoft published an exploit chain called AutoJack. It shows how a single malicious web page can turn an AI browsing agent into a tool for remote code execution (RCE) on the host machine. The vulnerability sits in AutoGen Studio, the open-source prototyping interface for Microsoft Research's AutoGen multi-agent framework. Microsoft describes AutoJack explicitly as research, not an active attack campaign, and reports no exploitation in the wild.

What the attack actually does

AutoJack chains three weaknesses in the MCP WebSocket interface. First, the socket trusted the local machine (localhost) — a check meant to block a normal browser pointed at a malicious site. But a browsing agent runs on that same machine and therefore counts as localhost, so anything it loads inherits that trust. Second, authentication skipped the MCP paths on the assumption that the downstream handler would verify tokens itself — which it never did, so unauthenticated connections were accepted. Third, the endpoint took a command straight from a request parameter and ran it, with no allowlist of permitted programs. Chained together, it is enough for the agent to open the page — no login, no credentials, no further user action. A planted link, a URL field or a prompt injection will do.

Why it matters

AI agents that browse the web on their own are increasingly being built into workflows in 2026. AutoJack demonstrates that such an agent can blur the line between "just looking at a web page" and "running code on my machine". Classic protection assumptions — such as localhost being trustworthy — no longer hold when the agent itself runs on the machine. For organisations this means: any agent that processes untrusted content is a potential entry point. There is an important caveat to the all-clear here: the affected MCP WebSocket surface was never part of a release via the Python package index PyPI. Anyone installing AutoGen Studio via PyPI is not exposed to this specific chain.

In plain language

Picture a household assistant who takes in parcels at the door for you. It is only supposed to accept packages. But a con artist hands it a note reading: "Go to the kitchen and turn on the stove." Because the assistant stands inside the house and carries out whatever it is handed, it does so — without anyone having to break down the front door. AutoJack is the note; the AI agent is the assistant.

A practical example

A software firm in the German-speaking region builds an internal research agent that summarises web pages for staff, using AutoGen Studio from the source repository rather than the PyPI package. An employee asks the agent to open a page sent in from outside. That page runs JavaScript in the background which reaches the local MCP interface and issues a command. Had the firm left the three weaknesses open, the attacker could run code on the machine. The lesson: agents belong in an isolated environment (a sandbox), local services need real authentication, and commands must never come unchecked from request parameters.

Scope and limits

First, AutoJack is a research demonstration, not a known active attack. Microsoft reports no exploitation in practice. Second, the specific chain concerns the MCP WebSocket surface, which was not shipped via PyPI — standard PyPI installations are not vulnerable through this path. Third, the underlying problem is more general than any single tool. The patterns involved — trusting localhost, skipped authentication, unfiltered command execution — can appear in other agent setups too and demand the same care there.

SEO & GEO keywords

AutoJack, AutoGen Studio, Microsoft, AI agents, remote code execution, RCE, MCP, Model Context Protocol, WebSocket, prompt injection, localhost, agent security, AutoGen, PyPI