The first involved an origin allowlist designed to accept connections only from localhost. Under normal conditions, this protection would block a browser visiting a malicious external website. However, Microsoft found that a browsing agent running locally inherits the localhost identity, allowing attacker-controlled JavaScript rendered by the agent to satisfy the origin check.
The second issue stemmed from the authentication logic. AutoGen Studio’s authentication process excluded MCP WebSocket paths from normal authentication checks, assuming those endpoints would implement their own controls. According to Microsoft, the MCP route never enforced those additional checks, leaving the interface accessible without authentication regardless of the configured authentication mode.
The third was the most dangerous of the issues. The MCP endpoint accepted a “server_params” value supplied through URL, decoded it, and passed the resulting command and arguments directly to the process-spawning mechanism used for MCP servers. Because no allowlist restricted which executables could be launched, attackers could specify arbitrary commands such as PowerShell, Bash, or other binaries.
