Microsoft says web-enabled AI agents can trigger host-level RCE
Summary
Microsoft discovered a security vulnerability called "AutoJack" that allows malicious webpages to trick AI agents (programs that can browse the web and access local services) into running harmful code on a user's computer. The attack works by chaining together three separate weaknesses in AutoGen Studio (Microsoft's tool for building AI agents), exploiting the fact that web-browsing agents have trusted access to local services that normally block outside access.
Solution / Mitigation
For users installing AutoGen Studio from source, the maintainers removed URL-based parameter injection, routed MCP paths through normal authentication flows, and implemented server-side parameter handling keyed to session identifiers. Users who installed AutoGen Studio through PyPI were never exposed to this vulnerability, as the vulnerable code only existed in development builds and was never shipped in public releases.
Classification
Affected Vendors
Related Issues
CVE-2026-30308: In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe comman
CVE-2026-40087: LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-str
Original source: https://www.csoonline.com/article/4187155/microsoft-says-web-enabled-ai-agents-can-trigger-host-level-rce.html
First tracked: June 19, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 92%