Microsoft disclosed a critical vulnerability chain in AutoGen Studio, the graphical prototyping interface for the AutoGen multi-agent AI framework, that allows attackers to hijack AI agents and execute arbitrary commands on a developer’s machine. The attack, termed AutoJack, exploits three distinct weaknesses in AutoGen’s authentication and command-execution architecture. It requires no installed malware on the target system and turns trust boundaries that are common across AI development tooling into an entry point.
Three-Part Attack Chain
AutoJack chains three weaknesses in AutoGen’s trust model. First, AutoGen Studio’s Model Context Protocol (MCP) WebSocket trusts connections originating from localhost, so a browsing agent can be redirected to attacker-controlled JavaScript that appears to originate from a trusted local source. Second, the /api/mcp/* routes skip credential verification, leaving an unauthenticated channel open between agents and the execution environment. Third, the MCP WebSocket accepts a base64-encoded server_params parameter from the URL and passes it directly to process-launching code with no sanitization.
Chain these three weaknesses together, and an attacker can execute arbitrary PowerShell or Bash commands in the context of the AutoGen Studio process—potentially with full system access if the developer runs as administrator. The attack requires only that a developer click a link while AutoGen Studio is running, a lower bar than traditional host compromise.
Why Unsanitized server_params Is the Critical Link
The base64-encoded parameter injection bypasses conventional web application security controls because AutoGen Studio does not validate the serialized configuration against a schema or allowlist before passing it to process-spawning code. Researchers demonstrated arbitrary PowerShell command execution using a crafted URL pointing to attacker-controlled infrastructure. Phishing emails, malicious GitHub READMEs, and compromised npm package documentation all serve as viable delivery vectors—channels developers encounter routinely. The attack produces no visible indicator on the developer’s screen beyond a briefly loaded webpage.
Impact, Scope, and Fix
Microsoft identified and patched the vulnerability. The fix closes the unauthenticated execution path by validating agent inputs before they reach process-launching code. Developers using AutoGen Studio should apply the latest update immediately and review any local services the framework can reach.
Why AutoGen’s MCP WebSocket Creates Novel Execution Risks for AI Development Environments
The AutoJack chain exposes a structural problem that extends well beyond AutoGen Studio. Any framework that lets agents browse the web while also exposing local management APIs over HTTP must treat incoming web content as untrusted input capable of reaching those local endpoints. Localhost-based authentication—a shortcut common in developer tooling—breaks down the moment an agent can fetch content from attacker-controlled pages.
Network-level controls that restrict localhost connections from browser-running agent processes help, but cryptographic authentication at the API layer is the definitive fix. Organizations deploying AI agents with web-browsing capabilities should audit any local services those agents can reach and apply least-privilege controls to all agent-to-service communication before deployment.
The vulnerability class AutoJack demonstrates—URL parameters reaching process-launching code through an AI agent intermediary—will recur as frameworks standardize on MCP and similar protocols that blur the line between web content and local command execution. Security teams embedding AI agents into enterprise workflows need to add agent-framework trust boundaries to their standard threat model from day one.
Affected systems: Microsoft AutoGen Studio (AI agent development framework).
Attack vector: Malicious webpages that trick AI agents into executing arbitrary system commands via crafted MCP parameters.
Status: Fixed by Microsoft. Users should apply the latest available update.
Recommendation: Update AutoGen Studio immediately. Review all local services accessible to AI agents in your environment and verify that agent-to-framework communication requires explicit authentication.
