Microsoft fixes AutoGen Studio flaw that enabled code execution
Summary
Microsoft fixed a vulnerability chain called AutoJack in AutoGen Studio, a graphical tool for building multi-agent AI systems (where multiple AI programs work together). The flaw let attackers trick an AI agent into running arbitrary commands (unrestricted code) on the host system just by having a developer visit a malicious webpage. The vulnerability was caught before any official release, so only developers building directly from GitHub source code during a brief window were affected.
Solution / Mitigation
Microsoft states that the issue was 'identified and remediated before any PyPI release, so the affected code never shipped in a published package.' Users installing from the Python Package Index received the patched version (autogenstudio 0.4.2.2), which does not contain the AutoJack weaknesses. Microsoft also recommends deploying AutoGen Studio 'strictly as a developer prototype in an isolated environment' not exposed to the internet, and advises running it 'under a low-privilege account in a sandboxed user profile or container' to contain any future agent-driven RCE (remote code execution, where attackers run commands on a system they don't own).
Classification
Affected Vendors
Related Issues
Original source: https://www.bleepingcomputer.com/news/security/microsoft-fixes-autogen-studio-flaw-that-enabled-code-execution/
First tracked: June 22, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%