Microsoft — AutoJack RCE chain hijacks AutoGen Studio agents via MCP WebSocket
AI relevance: AutoJack turns a browsing AI agent into a remote shell — a concrete example of how localhost MCP surfaces collapse the trust boundary between untrusted web content and developer machines running agentic frameworks.
What happened
Microsoft disclosed AutoJack, a three-vulnerability exploit chain in AutoGen Studio (the graphical front-end to Microsoft Research's AutoGen multi-agent framework, 59k+ GitHub stars) that lets a single malicious webpage hijack a developer's AI agent into executing arbitrary commands on the host. The chain was found and hardened before any PyPI release, but developers who built AutoGen Studio from the main branch during a narrow window were exposed.
The three-bug chain
- Origin bypass via the agent. AutoGen Studio's MCP WebSocket trusts any connection from localhost. A browsing agent rendering an attacker-controlled page loads JavaScript that opens a WebSocket to the local MCP endpoint — the browser's same-origin policy is satisfied because the endpoint appears as a trusted local service.
- Authentication gap on /api/mcp/*. The authentication middleware explicitly excludes MCP API routes, and the WebSocket endpoint itself implements no auth. Any page the agent visits can talk to the MCP control plane unauthenticated.
- Command injection via base64 server_params. The MCP WebSocket accepts a base64-encoded
server_paramsvalue from the URL and hands it directly to the process-launching code. An attacker specifies arbitrary PowerShell, Bash, or executable invocations — the agent's host runs them with the developer's privileges.
Why it matters
- Agent-as-attack-surface is real. The agent is no longer a victim of prompt injection; it is the delivery mechanism. No jailbreak, no config change, no user interaction beyond visiting a page the agent is asked to triage.
- Localhost is not a trust boundary. MCP's design assumes local STDIO/WebSocket endpoints are safe. AutoJack shows that once an agent browses the open web, "local" is attacker-reachable.
- Third AI framework compromise in one week. AutoJack lands days after the Mastra framework supply-chain hit (DPRK Lazarus) and the LiteLLM CVE-2026-42271 addition to CISA KEV. The pattern — implicit trust in LLM output, weak sandboxing, exposed management interfaces — is systemic across the agentic stack.
- Blast radius includes internal LLM APIs. AutoGen instances typically hold keys for Azure OpenAI, Anthropic, or Vertex, plus vector DB credentials. Host-level RCE pivots directly into the enterprise model plane.
What to do
- Upgrade. AutoGen Studio 0.4.8 ships gVisor-based sandboxing, seccomp profiles, capability dropping, read-only rootfs, and network egress filtering for agent containers.
pip install --upgrade autogenstudio==0.4.8or pull the hardened Docker image with--runtime=runsc. - Isolate the dev profile. Run AutoGen Studio under a low-privilege account in a sandboxed user profile or container — never on a daily-driver host with live cloud credentials.
- Audit the branch-build window. If anyone on your team built AutoGen Studio from
mainbetween the MCP plugin landing and commit b047730, rotate every API key and service token reachable from that host. - Separate browsing agents from code-execution agents. Any agent that renders untrusted web content should not share a process namespace with agents that execute code or hold production credentials.
- Firewall port 8081. AutoGen Studio's web UI has no auth by default. Shodan/Censys scans show ~4,200 publicly exposed instances; firewall yours today.