AutoJack: One Web Page Turns a Local AI Agent Into Host Code Execution

TL;DR what: AutoJack chains three weaknesses in AutoGen Studio's MCP WebSocket so an...

venerdì 19 giugno 2026 New tab

881 words~4 min read

TL;DR

what: AutoJack chains three weaknesses in AutoGen Studio's MCP WebSocket so an attacker web page, loaded by a local AI browsing agent, runs arbitrary commands on the host.

impact: Any page the agent opens can spawn a process under the account running AutoGen Studio with no credentials and no further user interaction.

fix: The real fix is GitHub main at commit b047730 (PR #7362); no patched PyPI release exists yet, so stay on stable 0.4.2.2 or pull from source.

who: Anyone who ran AutoGen Studio pre-releases 0.4.3.dev1 or 0.4.3.dev2 alongside a browsing or untrusted-content agent on the same machine.

AutoJack: One Web Page Turns a Local AI Agent Into Host Code Execution

AutoJack: One Web Page Turns a Local AI Agent Into Host Code Execution

Other newsrooms on this story

Related reading

AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution

Microsoft fixes AutoGen Studio flaw that enabled code execution

Agentjacking: AI Coding Agents Tricked Into Running Malicious Code via Sentry…

Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code

‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery…

Agentjacking: How AI Coding Agents Get Hijacked Through Their Own Tool Pipeline

Other newsrooms on this story

Related reading

AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution

Microsoft fixes AutoGen Studio flaw that enabled code execution

Agentjacking: AI Coding Agents Tricked Into Running Malicious Code via Sentry…

Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code

‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery…

Agentjacking: How AI Coding Agents Get Hijacked Through Their Own Tool Pipeline