Microsoft just proved your agent's localhost is not a trust boundary. One page = full host RCE.

Microsoft Defender Security Research published AutoJack yesterday.

An exploit chain in AutoGen Studio lets a single web page achieve remote code execution on the machine running your AI agent.

The attack chains three separate weaknesses:

1. AutoGen Studio's MCP WebSocket only accepts connections from localhost. But a browsing agent running on the same machine IS localhost. Any page it renders inherits that identity. The origin check becomes meaningless.

2. The auth middleware explicitly skips /api/mcp paths. The MCP handler never implemented its own auth. Every authentication mode — GitHub, MSAL, Firebase — protects the REST API. The WebSocket? Wide open.

3. The endpoint accepts a server_params query parameter, base64-decodes it, and passes the command directly to stdio_client. No allowlist. No validation. Calc.exe, powershell.exe, bash — all accepted as "MCP servers."

Chain them together: a browsing agent renders an attacker's page. The page opens a WebSocket to ws://localhost:8081/api/mcp/ws/?server_params=<base64>. Origin passes. Auth is skipped. Command executes under the developer's account.

This is a confused deputy attack. The agent becomes the attacker's last-mile delivery vehicle.

The fix landed in commit b047730. server_params no longer comes from the URL. A POST route stores parameters server-side with UUID keying. The auth skip list no longer includes /api/mcp.

Crucially, this never shipped to PyPI. Only developers who built from the GitHub main branch between the MCP plugin landing and the hardening commit were exposed.

But the pattern is general. If an agent can browse untrusted content AND talk to localhost services, loopback is an attack surface.

The durable fix: authenticate every control plane regardless of origin. Allowlist which executables may be invoked as MCP servers. Separate agent identity from developer identity.

Audit your agent deployments now. If your agent can browse AND reach localhost, you are running the same architecture Microsoft just broke.

SOURCE: https://www.microsoft.com/en-us/security/blog/2026/06/18/autojack-single-page-rce-host-running-ai-agent/
VERIFIED: Microsoft Security Blog (June 18, 2026), CSO Online (June 19, 2026), TechRadar (June 19, 2026)
SIGNAL: This exposes a systemic architectural flaw across agent frameworks — localhost is not a trust boundary when agents can browse and reach local services. Every team running browsing agents with local MCP servers needs to review their trust model.