Microsoft is warning of a novel remote code execution (RCE) path possible through web-enabled AI agents, demonstrating the technique against AutoGen Studio, its open-source interface for building and testing multi-agent applications.The demonstration showed that a malicious webpage rendered by an AutoGen-powered browsing agent could reach a local Model Context Protocol (MCP) service and run arbitrary processes on the host machine.Microsoft researchers dubbed the technique “AutoJack” because it effectively hijacks a web-accessing AI agent and abuses its trusted local access to bypass localhost security boundaries. The attack chains together three separate weaknesses in AutoGen Studio’s MCP WebSocket implementation, though Microsoft said the problem extends beyond AutoGen and could affect a broader class of agentic frameworks.“When an agent on your core server or laptop can browse the open web and communicate with privileged local services, localhost stops being a trust boundary,” it said in a blog post.The findings were internally reported to Microsoft Security Response Center (MSRC), and the affected AutoGen Studio code was reportedly fixed before reaching a public PyPI release.Three flaws chained into RCEThe AutoJack attack combined three separate weaknesses in AutoGen Studio’s MCP WebSocket implementation.The first involved an origin allowlist designed to accept connections only from localhost. Under normal conditions, this protection would block a browser visiting a malicious external website. However, Microsoft found that a browsing agent running locally inherits the localhost identity, allowing attacker-controlled JavaScript rendered by the agent to satisfy the origin check.The second issue stemmed from the authentication logic. AutoGen Studio’s authentication process excluded MCP WebSocket paths from normal authentication checks, assuming those endpoints would implement their own controls. According to Microsoft, the MCP route never enforced those additional checks, leaving the interface accessible without authentication regardless of the configured authentication mode.The third was the most dangerous of the issues. The MCP endpoint accepted a “server_params” value supplied through URL, decoded it, and passed the resulting command and arguments directly to the process-spawning mechanism used for MCP servers. Because no allowlist restricted which executables could be launched, attackers could specify arbitrary commands such as PowerShell, Bash, or other binaries.Microsoft said chaining these weaknesses allowed a webpage to trigger arbitrary process execution on the machine hosting AutoGen Studio without additional user interaction beyond getting the agent to render the page.The threat never touched productionMicrosoft said that the vulnerable code existed only in development builds that included MCP support and was never shipped through the current PyPI release. This means that users who installed AutoGen Studio through PyPI were never exposed to AutoJack.For those installing AutoGen Studio from source, the maintainers subsequently removed URL-based parameter injection, routed MCP paths through normal authentication flows, and implemented server-side parameter handling keyed to session identifiers.Beyond the specific bugs, Microsoft argues that AutoJack illustrates a pattern across agent frameworks. “The general guidance still applies because the pattern (an agent on the box reaching localhost services) is broader than this one bug,” it said. AutoJack was a result of Microsoft’s active research into how traditional software risks change when AI models connect to tools, browsers, code interpreters, and local services. The findings come as Microsoft doubles down on agentic AI initiatives across its product portfolio, expanding its investments in agent governance, containment, and autonomous security systems.