Microsoft researchers have uncovered a striking vulnerability in AI agent frameworks that turns a helpful web-browsing capability into a remote code execution pathway. The technique, dubbed AutoJack, demonstrates how a single malicious webpage can hijack an agent running on a developer’s machine and force it to spawn arbitrary processes. Short. Direct. And a wake-up call for anyone deploying these systems.
The discovery centers on AutoGen Studio, the open-source prototyping interface built on Microsoft’s AutoGen multi-agent framework. When an agent equipped with browsing tools visits an attacker-controlled site, JavaScript on that page can open a WebSocket connection to a local service on the same host. From there, it crosses what many assume is a safe localhost boundary. The result? Commands execute under the privileges of the user running the agent. No complex memory corruption. No zero-day in the browser itself. Just the agent doing what it was designed to do.
“When an agent on your core server or laptop can browse the open web and communicate with privileged local services, localhost stops being a trust boundary,” Microsoft stated in its analysis. The company detailed the full chain in a Security Blog post published June 18, 2026.
This isn’t an isolated flaw. It builds on earlier work from the same team. In May, Microsoft disclosed two critical vulnerabilities in its Semantic Kernel framework that also allowed prompt injection to achieve host-level remote code execution. One involved unsafe string interpolation in an in-memory vector store that let attackers bypass filters and call system commands. The other exposed a file download function that could write to startup folders, defeating sandboxing. Those issues received CVE-2026-26030 and CVE-2026-25592. Fixes rolled out in updated versions.
But AutoJack stands apart. It doesn’t rely on clever prompt engineering alone. Instead it chains three specific weaknesses in how AutoGen Studio handled its Model Context Protocol WebSocket endpoint. First, an origin allowlist that trusted localhost connections. Sounds reasonable. Yet the browsing agent itself runs locally, so any JavaScript it renders carries an acceptable origin. The check collapses.
Second, authentication middleware skipped MCP paths under the assumption the WebSocket handler would enforce its own checks. It didn’t. Even with GitHub, MSAL or Firebase auth enabled for the rest of the application, the critical endpoint remained open. Third, the handler accepted a base64-encoded server_params query string, decoded it directly into parameters, and passed a command plus arguments straight to a process-spawning function. No allowlist. No sanitization. Calc.exe launches. Or PowerShell. Or anything an attacker supplies.
Put them together. A developer builds a simple web summarizer agent using AutoGen’s MultimodalWebSurfer tool. The agent runs alongside AutoGen Studio on the same laptop. The developer pastes a URL or the agent follows a link containing hidden instructions. The page loads in the agent’s headless browser. Its script opens the WebSocket to ws://localhost with the crafted payload. AutoGen Studio executes the command. The proof-of-concept popped calc.exe on the researcher’s desktop within seconds.
The exploit never reached production packages. Microsoft reported the behavior internally to its Security Response Center. Maintainers hardened the main branch in commit b047730 before any PyPI release of the vulnerable code. Users who installed via published packages stayed safe. Those running directly from source during a narrow development window faced exposure. Still, the pattern matters more than this one bug.
CSO Online covered the disclosure hours after the blog appeared, noting the broader implications for enterprise teams racing to adopt agentic systems. “The general guidance still applies because the pattern is broader than this one bug,” the article emphasized. Author Shweta Sharma highlighted how Microsoft continues to invest in agent governance even as it pushes these capabilities forward. (CSO Online, June 19, 2026).
And the risks extend further. Other frameworks show similar weaknesses. Researchers have documented prompt injection turning into shell commands in ModelScope’s MS-Agent, where a Shell tool accepted unsanitized input and executed OS commands with the agent’s privileges. That flaw, tracked as CVE-2026-2256, could let attackers read secrets, drop payloads, or pivot inside networks. SecurityWeek reported on the full scope of potential compromise last March.
Indirect attacks compound the danger. An attacker doesn’t need to speak directly to the agent. They poison data sources the agent will read later. A comment on a legitimate news site. A document uploaded to a shared drive. Even a Jira ticket. The agent ingests the content as part of its normal workflow. Hidden instructions ride along. The model treats them as legitimate tasks. Suddenly the agent books flights, queries internal databases, or modifies code without human oversight.
Microsoft’s earlier May post on Semantic Kernel laid out the mechanics clearly. In one case, a filter lambda built from model output passed through eval(). Attackers escaped the intended constraints by traversing attributes like __name__ to reach BuiltinImporter, load the os module, and call system(). The payload looked like normal query text yet executed calc.exe. The team added multiple layers of allowlists and blocklists in version 1.39.4 to close the path. (Microsoft Security Blog, May 7, 2026).
Enterprises have taken notice. Surveys show over 90 percent of security professionals express concern about AI agents operating in production with broad permissions. Many organizations granted these systems access to email, ticketing platforms, code repositories and cloud consoles before establishing proper containment. The gap between capability and control continues to widen.
Yet the research also points to practical defenses. Isolate agents in sandboxed environments with network restrictions. Require explicit user confirmation for sensitive tool calls. Treat localhost services as untrusted when agents can reach them. Authenticate and authorize every control-plane interaction rather than relying on implicit trust. And above all, avoid running prototyping tools and production agents on the same high-privilege hosts.
AutoGen Studio itself was never intended for hardened deployment. Its documentation frames it as a research prototype with developer-experience tradeoffs. The maintainers responded quickly once the chain surfaced. The updated code uses server-side parameter storage with UUIDs instead of query strings and routes MCP paths through full authentication. The fix prevents the exact AutoJack sequence.
But new agent frameworks emerge monthly. MCP servers that connect AI assistants to third-party tools multiply the surfaces. Each integration promises productivity. Each also expands the attack area. A malicious Figma plugin server or a poisoned skill in a marketplace can achieve similar results. Recent analysis of Hugging Face supply-chain attacks showed namespace hijacking and skill poisoning leading to credential theft and reverse shells.
Security teams now face a structural shift. Traditional perimeters don’t contain agents that act across systems by design. Prompt injection, once dismissed as a chatbot curiosity, has become a delivery mechanism for real system compromise. Memory poisoning, data exfiltration through retrieval-augmented generation, and confused-deputy attacks via localhost all demand attention.
Microsoft continues to evolve its stance. It has expanded tools like MDASH, a multi-model agentic vulnerability discovery system that now integrates with Defender and processes telemetry from trillions of signals. The company positions these capabilities as part of a larger playbook for the agentic era, one that emphasizes containment, governance and autonomous security agents that monitor other agents.
Developers building with AutoGen, Semantic Kernel or similar stacks should review their configurations today. Check whether browsing agents share hosts with local control planes. Verify that WebSocket endpoints demand proper authentication. Ensure command execution paths include strict allowlists. Test agents against indirect prompt injection using realistic data sources.
The AutoJack demonstration lasted only seconds in the lab. In the wild, the same technique could install persistent access, exfiltrate credentials or quietly alter build outputs consumed downstream. The agent doesn’t know it’s been carjacked. It simply follows the next instruction.
That reality demands a different mindset. Treat every web-browsing agent as a potential confused deputy. Assume localhost is not private. And build defenses that match the autonomy these systems now possess. Because the next malicious page is already live. Waiting for an agent to visit.
WebProNews is an iEntry Publication