ctipilot.ch

AutoJack

trend · trend:autojack-mcp-websocket-rce

AutoJack — single-web-page host RCE via AI agent's local MCP WebSocket (AutoGen Studio dev builds)

Coverage timeline
2
first 2026-06-20 → last 2026-06-22
Entries
2
2 distinct days
Sources cited
6
6 hosts
Sections touched
2
research, weekly-research
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-06-22Research: the AI agent and toolchain control plane became a concrete attack-surface class this week
    weekly-researchResearch: the AI agent and toolchain control plane became a concrete attack-surface class this week
  2. 2026-06-20AutoJack — Microsoft shows a single web page can drive host RCE through an AI agent's local MCP server
    researchAutoJack — Microsoft shows a single web page can drive host RCE through an AI agent's local MCP server

Where this entity is cited

  • research1
  • weekly-research1

Source distribution

  • aikido.dev1 (17%)
  • microsoft.com1 (17%)
  • obsidiansecurity.com1 (17%)
  • thehackernews.com1 (17%)
  • unit42.paloaltonetworks.com1 (17%)
  • varonis.com1 (17%)

Related entities

Entries about AutoJack (2)

2026-06-22 · view entry permalink →

Research: the AI agent and toolchain control plane became a concrete attack-surface class this week

high research discovered 2026-06-22 00:14 UTC

The week's single most important research synthesis is that the AI developer toolchain — gateways, agents, IDE plugins and the Model Context Protocol — stopped being a theoretical risk and accumulated a cluster of working exploit chains. Microsoft's AutoJack showed a single malicious web page can drive host-level RCE through an AI browsing agent's local MCP WebSocket: a three-flaw chain in AutoGen Studio (origin-allowlist bypass, missing auth on /api/mcp/*, and OS command injection via StdioServerParams) lets an attacker-steered agent reach a privileged localhost socket and execute arbitrary host processes (Microsoft Security, 2026-06-18; daily 06-20). That sits alongside the week's other AI-surface disclosures: Obsidian Security's three-CVE LiteLLM chain turning any gateway user into root (Obsidian, 2026-06-16; daily 06-16), Varonis "SearchLeak" one-click M365 Copilot data exfiltration (CVE-2026-42824) (Varonis; daily 06-16), Unit 42's "Pickle in the Middle" cross-tenant code execution in Google Vertex AI (CVE-2026-2473) (Unit 42; daily 06-17), and 15 malicious JetBrains Marketplace plugins exfiltrating AI-provider API keys (Aikido; daily 06-18). Sophos X-Ops' underground-AI report (daily 06-19) confirms criminal interest in exactly these agent frameworks. The defender takeaway for CH/EU public-sector teams adopting AI tooling: treat self-hosted AI gateways and agent frameworks as internet-adjacent application servers — bind MCP/agent sockets to loopback behind a host firewall, run them under low-privilege isolated accounts, never on shared or production hosts, and rotate the API keys and cloud credentials these tools concentrate.

ai-abuse cloud vulnerabilities supply-chain global

2026-06-20 · view entry permalink →

AutoJack — Microsoft shows a single web page can drive host RCE through an AI agent's local MCP server

notable research discovered 2026-06-20 05:12 UTC

Microsoft Security researchers disclosed AutoJack on 2026-06-18, a three-weakness chain against AutoGen Studio's Model Context Protocol (MCP) WebSocket surface that lets a malicious web page rendered by a local AI browsing agent execute arbitrary commands on the host (Microsoft Security Blog, 2026-06-18). The chain: (1) the WebSocket origin allowlist accepts a locally-running browsing agent's localhost identity (CWE-1385 missing origin validation); (2) the auth middleware exempts all /api/mcp/* paths (CWE-306 missing authentication); (3) the MCP handler base64-decodes a server_params URL query parameter and passes it to OS process execution (CWE-78 OS command injection). The flaw existed only in pre-release PyPI builds 0.4.3.dev1/0.4.3.dev2 — the stable 0.4.2.2 was never affected — and was fixed before public release; no in-the-wild exploitation was observed (The Hacker News, 2026-06-19).

Why it matters to us: The specific package never shipped, but the pattern — origin-bypass → unauthenticated local API → executable parameter — generalises to any agentic framework exposing a local WebSocket/MCP endpoint to browsing agents. Teams piloting MCP-based tooling should validate Origin headers on all localhost WebSocket servers, require authentication on every path, refuse executable parameters via URL query strings, and run agent frameworks in sandboxes rather than on developer workstations.

vulnerabilities ai-abuse rce poc-public global