Forensic Summary
Researchers at Microsoft identified a three-stage exploit chain in AutoGen Studio that allows a malicious web page visited by a browsing AI agent to reach the host's local Model Context Protocol (MCP) WebSocket and spawn arbitrary processes. The chain exploits a bypassable origin allowlist, authentication middleware that excluded MCP endpoints, and unsanitised URL-derived command parameters. Although the vulnerable surface was never shipped in a PyPI release, the finding exposes a systemic architectural risk in any agent framework that combines untrusted browsing with privileged localhost services.
Read the full technical deep-dive on Grid the Grey: https://gridthegrey.com/posts/autojack-exploit-chain-achieves-rce-via-ai-agent-browsing-local-mcp-socket/
Top comments (0)