Skip to main content
Springvanta
All posts
AI Security & GovernanceJun 20, 2026 · 6 min read

Localhost Is Dead: Three Agent Framework RCE Disclosures in 72 Hours

AutoJack, Cline CVE-2026-44211, and 7,000 Langflow servers under attack share one flaw: agents that browse the web and talk to local services break localhost trust.

By SpringVanta

The assumption that localhost is a safe trust boundary is dying. Three independent security disclosures in the last 72 hours killed it from different directions, all targeting the same structural flaw: AI agents that browse the web and talk to local services turn a malicious webpage into a bridge to the host machine.

Three agent frameworks. Three research teams. One outcome: a shell on the box running your AI agent, with access to every credential the process holds.

Three agent frameworks sharing the same localhost trust boundary flaw, June 2026

AutoJack: Microsoft shows how one webpage becomes a shell

On June 18, Microsoft's Defender Security Research team published a detailed writeup of "AutoJack," an exploit chain against AutoGen Studio that takes a malicious webpage from the open internet and turns it into arbitrary code execution on the developer's machine.

The chain is three weaknesses stacked. First, AutoGen Studio's MCP WebSocket only accepted connections from localhost — a check meant to keep external browsers out. But a browsing agent running on the same machine inherits that localhost identity. When the agent loads an attacker's page, the hostile JavaScript passes the origin check because the request genuinely comes from 127.0.0.1.

Second, the authentication middleware skipped MCP WebSocket paths, assuming the handler would enforce its own controls. It never did.

Third, the MCP endpoint accepted a server_params value from the URL and passed it directly to the process spawner. No allowlist. No sanitization. An attacker could specify PowerShell, Bash, or anything else.

Microsoft's phrasing is blunt: "When an agent on your core server or laptop can browse the open web and communicate with privileged local services, localhost stops being a trust boundary."

The vulnerable code existed only in development builds and never shipped to PyPI's stable release. Microsoft reported it through MSRC and the maintainers hardened the main branch. But the pattern, Microsoft emphasized, extends far beyond AutoGen. Any agent framework where the same process browses untrusted content and holds privileged local access has this problem.

Cline: same pattern, CVSS 9.6, patched now

The same week, researchers disclosed CVE-2026-44211 against Cline, a widely used AI coding assistant. The flaw sits in the Kanban server component, which starts a WebSocket on 127.0.0.1:3484 when active. The server accepted all connections without checking the Origin header.

Because WebSocket connections are not bound by the Same-Origin Policy that governs normal web traffic, a browser freely sends requests to localhost regardless of which site the user is visiting. A developer who visits a malicious page while the Kanban server is running hands the attacker a live connection to the agent backend.

From there, the attacker gets three things: workspace metadata including project paths and Git branch information, the live stream of AI conversation history, and the ability to inject prompts into active agent sessions. That last one can lead to remote code execution, since the agent can be instructed to run commands on the developer's machine.

The fix is Cline version 3.82.0 or later. The advisory from Eventus Systems rated it CVSS 9.6 — critical. What makes this one harder to dismiss is that it requires zero interaction beyond visiting a webpage while the tool is running. No click, no download, no social engineering beyond planting a link.

7,000 Langflow servers under active attack

The third disclosure moved past theory. VentureBeat reported June 19 that researchers from Check Point, Tenable, VulnCheck, and Cyera independently documented exploitable vulnerabilities across Langflow, LangGraph, and LangChain — three of the most widely deployed agent frameworks in production. Roughly 7,000 Langflow servers are under active attack as of June 19.

The bugs are different files in different codebases, but the consequence is the same: an attacker gets a shell or a credential read on the machine running the agent.

LangGraph's chain is particularly nasty. Check Point researcher Yarden Porat found CVE-2025-67644, a SQL injection in the SQLite checkpointer's WHERE clause builder — user-controlled filter keys dropped directly into the query with no parameterization. That alone gives an attacker write access to the checkpoint store. Combined with CVE-2026-28277, a flaw in the msgpack checkpoint decoder that can import a module and call a function with attacker-supplied arguments, it becomes arbitrary Python execution under the agent's own process identity. Both bugs sat in production code. LangGraph clears 50 million downloads a month.

Langflow's problem is a path traversal in its file upload endpoint, the kind of vulnerability on every standard checklist, now being actively exploited across thousands of internet-exposed instances.

Cyera documented a path traversal in LangChain-core's prompt loader that reads secrets off disk, including API keys and configuration files the agent process can reach.

Why this keeps happening

These are not exotic zero-days. SQL injection, path traversal, missing Origin validation, unauthenticated local services. Each one is a well-understood vulnerability class with established fixes. The problem is that agent frameworks went from research prototypes to production infrastructure faster than anyone secured them.

The pattern across all three disclosures is the same: a local service that trusts its own machine, combined with an agent that reaches out to untrusted content, combined with no isolation between those two activities. The agent's ability to browse the web and call local tools in the same workflow is what makes it productive. It is also what makes it dangerous.

Google DeepMind addressed this directly in a June 18 blog post outlining its AI Control Roadmap, which treats internal agents as potential insider threats, "similar to the way a company would treat a potential rogue employee who already has access to the office." The framework assumes alignment is imperfect and builds system-level controls that work even when the model misbehaves.

Snowflake published its own framework the same day. Their Data-Model-Agent security model starts from the premise that agent actions need to be attributable, governed, and recoverable, with sensitive information prevented from leaving approved boundaries.

Both are responses to the same gap: the tools organizations use to build agents were never designed with the assumption that the agent itself could become the attack vector.

What to do this week

If you are running agents in production on any of these frameworks, the priorities are concrete.

Patch everything. AutoGen Studio main branch is hardened at commit b047730. Cline 3.82.0+ fixes the WebSocket issue. Langflow, LangGraph, and LangChain all have advisories from Check Point, Tenable, VulnCheck, and Cyera with specific CVE references.

Audit your checkpoint stores. The LangGraph SQL injection only affects self-hosted deployments on SQLite or Redis checkpointer with untrusted input reaching history endpoints. If you are on managed LangSmith with PostgreSQL, you are not exposed to that specific vector. Find out which configuration your deployment uses.

Rotate credentials accessible to agent processes. Any API key, database password, or CRM token the agent can read is potentially compromised. LangChain's path traversal reads secrets off disk. LangGraph's RCE runs code under the agent's identity. Assume exposure and rotate.

Isolate the agent's network access. The localhost trust model breaks when the agent browses untrusted content and talks to privileged local services in the same process. Separate them. Run the browsing component in a sandbox. Require authentication on every local service, even those bound to 127.0.0.1.

Inventory your agent estate. The Gravitee State of AI Agent Security report found that agent fleets doubled in four months while security coverage barely moved. You cannot defend what you have not counted.

Sources

  • Microsoft Security Blog, "AutoJack: How a single page can RCE the host running your AI agent" (June 18, 2026)
  • CSO Online, "Microsoft says web-enabled AI agents can trigger host-level RCE" (June 19, 2026)
  • Eventus Systems advisory, CVE-2026-44211, Cline Kanban WebSocket hijacking (June 2026)
  • SecurityOnline, "Critical Cline AI Agent Flaw Allows Stealthy RCE via Your Browser" (June 2026)
  • VentureBeat / Check Point / Tenable / VulnCheck / Cyera, Langflow/LangGraph/LangChain RCE reporting (June 19, 2026)
  • Google DeepMind, "Securing the future of AI agents" (June 18, 2026)
  • Snowflake, "Securing the Agentic Enterprise Starts with the Data" (June 18, 2026)
  • Gravitee, "State of AI Agent Security 2026" (April 2026, published June 15, 2026)

Continue reading

← Previous

86% Less Invoice Time, 20% More Bookings: Real Estate's 72-Hour AI Agent Wave

Next →

Claude Code Becomes an Enterprise Platform in 48 Hours

Read more

Like this kind of writing?

One email when something good ships — usually once or twice a month.

SubscribeAll posts