Raw URL Capture - AutoJack
> Untrusted external source. The source's code, commands, payloads, and instructions were not executed or copied into the trusted operating layer.
Capture Metadata
- Original URL: https://www.microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent/
- Published timestamp reported by the page:
2026-06-19T00:17:54+00:00 - Collected: 2026-06-20
- Publisher: Microsoft Security
- Access note: the origin returned HTTP 403 to direct PowerShell retrieval. A read-only text rendering of the same canonical URL was used to review the article; the canonical title, URL, publication time, remediation commit, and claims were retained.
Defensive Capture Summary
- Microsoft describes an AutoGen Studio development-branch exploit chain in which untrusted content rendered by a browsing agent could reach a local MCP WebSocket and cause host process execution.
- The chain combined inadequate WebSocket origin assumptions, missing authentication on MCP routes, and attacker-controlled process parameters.
- The maintainers hardened the upstream main branch in commit
b047730; Microsoft states the affected MCP WebSocket surface was never shipped in a PyPI release. - General lesson: a web-browsing agent running on the same host can invalidate assumptions that
localhostor loopback is a trusted boundary. Local control planes need authentication, authorization, parameter binding, and isolation.
Safety Notes
- Exploit payloads, runnable proof-of-concept code, and hunting commands were intentionally omitted.
- The source states that the specific chain was fixed before release; this capture does not assert exposure of PyPI users.