What happened
Microsoft disclosed AutoJack (June 18, 2026) — an exploit chain allowing untrusted web content rendered by an AI browsing agent to reach a local MCP WebSocket and execute arbitrary processes on the host. Chains three weaknesses: localhost origin bypass (agent inherits local identity), missing authentication on MCP paths, and unsafe parameter injection via URL. Vulnerable code never shipped in PyPI releases; upstream hardened before publication.
Why it matters
Demonstrates systemic risk pattern: localhost trust boundary becomes attack surface when agents can browse the web and access local services simultaneously. Converts browsing agent into delivery vehicle for RCE; pattern extends beyond AutoGen to any framework allowing agent web browsing + local tool access.
Applicability
Developers using AutoGen Studio or similar frameworks with web-browsing and local service capabilities; immediate audit required for localhost-bound control planes exposed to agent browsing.