AutoJack: How Microsoft Found That a Single Malicious Webpage Can Hijack Your AI Agent for RCE

1. Blind trust in localhost

The MCP WebSocket accepted all traffic from the loopback interface (127.0.0.1) as inherently trusted. It did not validate whether the request actually came from the legitimate agent or from attacker-controlled web content that the agent had rendered . Because the agent itself runs locally, any webpage loaded by the agent could send WebSocket messages that the MCP service treated as if they originated from a trusted local source.

2. Missing authentication on the WebSocket endpoint

The MCP WebSocket required no authentication, session tokens, or origin checks. Any local process — or any script running inside a webpage rendered by the agent — could reach the WebSocket and send commands without credentials . This meant there was no way for the service to distinguish between legitimate agent tool calls and malicious instructions injected by an attacker’s webpage.

3. Unsafe process spawning from tool commands

The MCP service blindly executed tool commands received over the WebSocket. It allowed arbitrary process creation without sandboxing, capability checks, or user confirmation . Once the attacker’s content reached the WebSocket, it could instruct the service to run any command on the host.

When combined, these three weaknesses allow a webpage to instruct the AI agent’s browsing engine to connect to the MCP WebSocket, send crafted tool commands, and execute arbitrary code — all without the user clicking a second button .

Affected Builds and How It Was Patched

The vulnerability existed only in the development branch of AutoGen Studio, the open-source prototyping UI for Microsoft’s AutoGen multi-agent framework . It never shipped in any PyPI release of AutoGen Studio or AutoGen itself . After Microsoft reported the issue to the AutoGen maintainers via the Microsoft Security Response Center (MSRC), the fix was applied to the development branch . Users are advised to update to the latest version of AutoGen Studio to receive the patch . No CVE number has been reported for this issue as of the available sources.

Broader Implications for AI Agent Security

Beyond the specific vulnerability, Microsoft highlights that AutoJack demonstrates a fundamental architectural risk for any agentic AI framework that combines web browsing with local tool access . The browser sandbox was designed to isolate web content from the operating system. But an AI agent that sits inside the trust boundary and acts on rendered content creates a bridge from the open web to privileged local operations .

Microsoft warns that the traditional assumption of treating localhost as a safe implicit trust zone no longer holds when agents are involved . The company recommends that agentic AI frameworks adopt:

• Explicit authentication for all MCP endpoints, even those listening on localhost
• Origin validation to ensure only the legitimate agent can send commands
• Capability-based access controls that limit what each tool command can do
• Process sandboxing for any tool that can reach system resources

Localhost used to be a security boundary. With AI agents browsing the open web, it has become an attack surface.