"The vulnerable MCP WebSocket surface 'was never included in a PyPI release,'" Microsoft said — a narrow technical point that nonetheless left a dangerous execution path open in specific builds of an open-source agent framework.
How AutoJack turns a browsing agent into host code execution
Microsoft researchers disclosed an exploit chain called AutoJack that takes a local AI browsing agent and makes it a delivery vehicle for remote code execution on the host. If the agent loads an attacker-controlled web page, the page's JavaScript can reach a privileged local service on the same machine and spawn a process under the account running AutoGen Studio. No credentials, no sign-in prompt, and no further user interaction are required once the agent opens the page: a planted link, a URL field, or a prompt injection is sufficient.
The proof of concept used a "Web Content Summarizer" agent that, when fed an attacker URL, launched calc.exe on the developer's desktop, spawned by the AutoGen Studio process. Microsoft described the work as research and reported no exploitation in the wild.
Which builds are affected: stable PyPI versus pre-releases
A plain pip install autogenstudio pulls the stable release, 0.4.2.2, which does not include any Model Context Protocol (MCP) route and therefore is not vulnerable. The vulnerable MCP WebSocket handler, Microsoft says, was not part of that PyPI stable release. However, the handler did ship to PyPI in two pre-release builds, 0.4.3.dev1 and 0.4.3.dev2.
The Hacker News downloaded and inspected both pre-releases. In those builds the MCP WebSocket route is present, the handler takes the command to run straight from the request, and it does not authenticate the caller. Neither pre-release has been yanked. Pip does not install pre-releases unless the user passes --pre or pins the version, so only users who explicitly installed a pre-release were exposed.
How the vulnerability chain actually worked — and how it was fixed in source
Microsoft laid out three linked weaknesses in the MCP WebSocket that AutoJack exploited:
- Trusting localhost: the socket trusted connections from localhost, intended to block a normal browser pointed at a malicious site. But a browsing agent running on the same host inherits localhost identity and therefore passed the check.
- Skipped authentication: the authentication middleware skipped MCP paths on the assumption the handler would verify tokens itself — which it did not — allowing unauthenticated connections regardless of configured auth mode.
- Direct command execution: the endpoint read a command directly from a request parameter and executed it with no allowlist restricting which executables could be launched.
Maintainers hardened the main branch in commit b047730 (PR #7362). The fixed handler no longer reads the command from the URL; instead, parameters are stored server-side behind a one-time session ID, and unknown IDs are refused. MCP routes now pass through the normal authentication path. That hardening exists in GitHub main, but it has not yet been published as a PyPI release.
What this means for technologists, open-source maintainers, and developers who install pre-releases
- Technologists and security teams: Verify whether any development or test systems installed autogenstudio pre-releases (0.4.3.dev1 or 0.4.3.dev2). If so, either pull the patched source from GitHub main at or after commit b047730 or isolate the service until a fixed PyPI release is available.
- Open-source maintainers and packaging teams: The packaging detail made the difference between exposure and safety. The vulnerable handler lived only in pre-releases; maintainers should ensure that hardening on main is promoted to releases and that pre-release artifacts are tracked or removed when they introduce dangerous handlers.
- End users and developers: A plain pip install autogenstudio yielding 0.4.2.2 is not affected. If you installed a pre-release, follow the source fix or isolate AutoGen Studio from any browsing or code-execution agents that touch untrusted content.
Microsoft warned that the AutoGen Studio bugs are patched in source, but the pattern is not unique. The company expects similar problems in other agent frameworks: a local service with excessive privilege, a localhost check treated as a security boundary, and an agent that opens untrusted pages. TheHackerNews observed a related vector last month in ChatGPhish, and Microsoft previously made a similar localhost argument in Semantic Kernel research tracked as CVE-2026-26030 and CVE-2026-25592.
Until maintainers ship a patched PyPI release, the practical defenses are straightforward and specific: do not run AutoGen Studio on the same machine as any browsing or code-execution agent that touches untrusted content; if co-location is unavoidable, isolate each component in separate containers or virtual machines and run AutoGen Studio under a low-privilege account; and, where possible, deploy the GitHub main fix (commit b047730) rather than relying on an unpatched package.
The tight window between a source fix and a packaged release, combined with the ease of turning an agent into an execution vector, leaves a precise, fixable risk: either change where the code runs, or change the code. For now, Microsoft has changed the code in main; the next necessary step is to get that change into distribution.