AutoJack — single-web-page host RCE via AI agent's local MCP WebSocket (AutoGen Studio dev builds)

vulnerability-trend · item:autojack-mcp-websocket-rce

Coverage timeline

first 2026-06-20 → last 2026-06-20

Briefs

1 distinct

Sources cited

2 hosts

Sections touched

research

Co-occurring entities

see Related entities below

Story timeline

2026-06-20CTI Daily Brief — 2026-06-20
researchFirst coverage — origin-bypass + unauth local API + command-injection attack class for agentic MCP tooling

Where this entity is cited

research1

Source distribution

microsoft.com1 (50%)
thehackernews.com1 (50%)

Related entities

Microsoft DCU disrupts Fox Tempest MSaaS — 1,000+ Artifact Signing certs revoked; SDNY court order; downstream Rhysida, INC, Qilin, Akira + Vanilla Tempest, Storm-0501 / 2561 / 0249
incidentitem:microsoft-dcu-disrupts-fox-tempest-malware-signing-as-a-servi×1
Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners (gminer/lolMiner/SRBMiner-MULTI) under signed Microsoft binary
campaignitem:microsoft-ai-chatbot-search-poisoning-cryptojacking-screenconnect-process-hollowing×1
Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
toolresearch:microsoft-mdash-2026×1
Microsoft Teams external-chat phishing (APT29/Cloaked Ursa, UNC6692)
campaigncampaign:teams-external-chat-phishing×1
npm dependency-confusion campaigns targeting internal corporate namespaces (Microsoft 33 pkgs / Sonatype 176 pkgs)
campaignitem:npm-dependency-confusion-internal-namespace-campaigns-ms-sonatype×1

All cited sources (2)

Items in briefs about AutoJack — single-web-page host RCE via AI agent's local MCP WebSocket (AutoGen Studio dev builds) (1)

AutoJack — Microsoft shows a single web page can drive host RCE through an AI agent's local MCP server

From CTI Daily Brief — 2026-06-20 · published 2026-06-20 · view item permalink →

Microsoft Security researchers disclosed AutoJack on 2026-06-18, a three-weakness chain against AutoGen Studio's Model Context Protocol (MCP) WebSocket surface that lets a malicious web page rendered by a local AI browsing agent execute arbitrary commands on the host (Microsoft Security Blog, 2026-06-18). The chain: (1) the WebSocket origin allowlist accepts a locally-running browsing agent's localhost identity (CWE-1385 missing origin validation); (2) the auth middleware exempts all /api/mcp/* paths (CWE-306 missing authentication); (3) the MCP handler base64-decodes a server_params URL query parameter and passes it to OS process execution (CWE-78 OS command injection). The flaw existed only in pre-release PyPI builds 0.4.3.dev1/0.4.3.dev2 — the stable 0.4.2.2 was never affected — and was fixed before public release; no in-the-wild exploitation was observed (The Hacker News, 2026-06-19).

Why it matters to us: The specific package never shipped, but the pattern — origin-bypass → unauthenticated local API → executable parameter — generalises to any agentic framework exposing a local WebSocket/MCP endpoint to browsing agents. Teams piloting MCP-based tooling should validate Origin headers on all localhost WebSocket servers, require authentication on every path, refuse executable parameters via URL query strings, and run agent frameworks in sandboxes rather than on developer workstations.