AutoGen Studio MCP WebSocket localhost trust bypass RCE flaw

Vulnerability

First reported

19.06.2026 18:30

Last updated

19.06.2026 18:30

Happening score

H score 29

1 unique sources, 1 articles

Summary

Hide ▲

A remote code execution flaw in AutoGen Studio affects the MCP WebSocket surface in pre-release builds 0.4.3.dev1 and 0.4.3.dev2. The exploit chain uses a localhost trust bypass, missing authentication, and command execution from a request parameter. The hardening fix is in GitHub main at commit b047730, but no patched PyPI build has landed yet.

Timeline

19.06.2026 18:30 2 articles · 3h ago

Microsoft details AutoJack exploit chain in AutoGen Studio

Initial Disclosure
Microsoft researchers describe AutoJack, an exploit chain in AutoGen Studio's MCP WebSocket surface that can let an AI browsing agent load an attacker page and run a host process under the AutoGen Studio account. The vulnerable handler shipped only in pre-release builds 0.4.3.dev1 and 0.4.3.dev2, while the stable 0.4.2.2 build has no MCP route; maintainers hardened the main branch in commit b047730, and Microsoft reported no exploitation in the wild.
Show sources

AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution — thehackernews.com — 19.06.2026 18:30

AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution — thehackernews.com — 19.06.2026 18:30
Open in new tab

Summary

Timeline

Microsoft details AutoJack exploit chain in AutoGen Studio