RSS

Microsoft fixes AutoGen Studio flaw that enabled code execution

rndsignals1 pts0 comments

Microsoft fixes AutoGen Studio flaw that enabled code execution

Home<br>News<br>Security<br>Microsoft fixes AutoGen Studio flaw that enabled code execution

Microsoft fixes AutoGen Studio flaw that enabled code execution

By Bill Toulas

June 22, 2026

01:28 PM

A vulnerability chain dubbed AutoJack in Microsoft&rsquo;s AutoGen Studio interface for prototyping AI agents could let attackers manipulate an agent into executing arbitrary commands on its host system simply by visiting a malicious webpage.

AutoGen Studio is the graphical component for AutoGen, Microsoft&rsquo;s open-source framework for building multi-agent AI systems. The framework allows developers to create AI agents that can collaborate with one another, use tools, browse the web, execute code, interact with APIs, and connect to external systems.

The project is very popular, with more than 59,000 stars and nearly 9,000 forks on GitHub. Microsoft notes that AutoJack's impact was limited because the issue was addressed during development.

"This issue was identified and remediated before any PyPI release, so the affected code never shipped in a published package," Microsoft says.

"The exposure was limited to developers who built AutoGen Studio from the main GitHub branch during the window between the MCP plugin landing and the hardening commit.'

AutoJack details

Microsoft describes the AutoJack attack as being based on three separate weaknesses in AutoGen Studio:

The MCP WebSocket trusts connections originating from localhost, allowing a browsing agent running on the same machine to be tricked into loading attacker-controlled JavaScript that appeared to come from a trusted local source

AutoGen Studio's authentication middleware excludes /api/mcp/* routes from authentication checks, while the MCP WebSocket endpoint fails to implement its own authentication, leaving it accessible without credentials

The MCP WebSocket accepts a base64-encoded server_params value from the URL and passes it to the process-launching code, allowing attackers to specify and execute arbitrary PowerShell, Bash commands, or executables.

Origin bypass via the AI agent<br>Source: Microsoft

In a realistic attack scenario that Microsoft presented, a malicious JavaScript executes on a page visited by a developer&rsquo;s AI agent, which opens a WebSocket connection to AutoGen Studio's local MCP endpoint.

The payload instructs AutoGen Studio to launch an attacker-chosen command with the privileges of the developer&rsquo;s account. To demonstrate the effect, Microsoft demonstrated the launch of Windows Calculator.

AutoJack demo launching Calc.exe<br>Source: Microsoft

It should be noted that users installing AutoGen Studio from the Python Package Index (PyPI) were never exposed to the affected code. The latest current package, autogenstudio 0.4.2.2, does not contain the AutoJack weaknesses.

However, developers building AutoGen directly from GitHub during a limited window before commit b047730 were impacted for a short period.

Microsoft recommends users who install AutoGen Studio to deploy it "strictly as a developer prototype in an isolated environment" that is not exposed to the internet.

Furthermore, the maintainer emphasizes that the project should not be run with an agent capable of browsing or executing arbitrary code on a machine with untrusted content.

"Run AutoGen Studio under a low-privilege account in a sandboxed user profile or container so that any future agent-driven RCE is contained to a dev profile, not your daily-driver account," advises Microsoft.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.<br>The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Related Articles:

Max-severity flaw in ChromaDB for AI apps allows server hijacking<br>18-year-old NGINX vulnerability allows DoS, potential RCE<br>New critical Exim mailer flaw allows remote code execution<br>F5 issues out-of-band patches for critical NGINX vulnerabilities<br>Path traversal flaw in AI dev platform Langflow exploited in attacks

Agentic AI

AI

AI Agents

Artificial Intelligence

RCE

Remote Code Execution

Vulnerability

Bill Toulas

Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article

Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Upcoming Webinar

Popular Stories

Webinar: How attackers bypass MFA and how defenders can respond

Klue OAuth breach victim list grows as Icarus hackers claim attack

Microsoft: June 2026 Windows updates break Recycle Bin prompts

Sponsor Posts

AI is a data-breach time bomb: Read the new report

Overdue a password...

microsoft autogen studio code flaw agent

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.