Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: autojack (1 article)Clear

AutoJack turns AI browsing agents into a path to host code execution

Microsoft researchers detailed AutoJack, an attack that turns an AI browsing agent into a route for running code on the user's machine. If the agent is steered to open an attacker's web page, that page's JavaScript can reach a privileged local service on the same host and spawn a process, with no credentials and no further interaction once the page loads. A planted link, poisoned URL field, or prompt injection is enough to trigger it. The demonstrated flaw sits in AutoGen Studio, the prototyping interface for Microsoft's AutoGen agent framework. The lesson: once an agent browses the open web and can reach local services, localhost is no longer a trust boundary.

Check
Inventory AI agents and assistants that can both browse the web and reach local services, and check whether any expose privileged localhost endpoints, such as AutoGen Studio, without authentication.
Affected
Developers and teams running web-browsing AI agents that can reach unauthenticated local services on the same host; the public demonstration targets Microsoft's AutoGen Studio prototyping interface.
Fix
Authenticate local control-plane services rather than trusting localhost, keep agent process execution behind an allowlist, give agents their own least-privilege identity, and isolate agent runtimes from sensitive hosts and developer sessions.