{"data":{"id":"1d58b0e7-8d9e-4937-9c0a-c562da5c12af","title":"Microsoft fixes AutoGen Studio flaw that enabled code execution","summary":"Microsoft fixed a vulnerability chain called AutoJack in AutoGen Studio, a graphical tool for building multi-agent AI systems (where multiple AI programs work together). The flaw let attackers trick an AI agent into running arbitrary commands (unrestricted code) on the host system just by having a developer visit a malicious webpage. The vulnerability was caught before any official release, so only developers building directly from GitHub source code during a brief window were affected.","solution":"Microsoft states that the issue was 'identified and remediated before any PyPI release, so the affected code never shipped in a published package.' Users installing from the Python Package Index received the patched version (autogenstudio 0.4.2.2), which does not contain the AutoJack weaknesses. Microsoft also recommends deploying AutoGen Studio 'strictly as a developer prototype in an isolated environment' not exposed to the internet, and advises running it 'under a low-privilege account in a sandboxed user profile or container' to contain any future agent-driven RCE (remote code execution, where attackers run commands on a system they don't own).","labels":["security"],"sourceUrl":"https://www.bleepingcomputer.com/news/security/microsoft-fixes-autogen-studio-flaw-that-enabled-code-execution/","publishedAt":"2026-06-22T17:28:57.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["prompt_injection"],"issueType":"news","affectedPackages":null,"affectedVendors":["Microsoft"],"affectedVendorsRaw":["Microsoft","AutoGen Studio","AutoGen"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-06-22T17:28:57.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}