Critical Vulnerabilities in Microsoft’s Semantic Kernel Expose AI Agents to Remote Code Execution
Security researchers have uncovered two severe vulnerabilities in Microsoft’s Semantic Kernel, a widely used open-source framework for building AI agents, that could allow attackers to achieve remote code execution (RCE) or arbitrary file writes via prompt injection. The flaws, tracked as CVE-2026-25592 and CVE-2026-26030, highlight systemic risks in AI agent frameworks where untrusted input is mapped to system-level tools.
The Threat Model: AI Agents as Execution Vectors
Modern AI agents, powered by frameworks like Semantic Kernel, LangChain, and CrewAI, extend beyond text generation by integrating plugins that interact with files, databases, and scripts. While this enables powerful automation, it also introduces new attack surfaces. Unlike traditional AI vulnerabilities where risks were limited to content manipulation these flaws allow attackers to leverage prompt injection to execute arbitrary code on the host system.
The AI model itself is not the issue; it functions as designed, translating natural language into structured tool calls. The vulnerability lies in how frameworks trust and process these tool invocations, turning prompt injection into a code execution primitive.
CVE-2026-26030: RCE via In-Memory Vector Store
Affected Versions: Semantic Kernel Python package < 1.39.4
Impact: Remote code execution on the host system
Exploitation Mechanics
-
Attack Prerequisites:
- The agent must use the Search Plugin backed by an In-Memory Vector Store with default configurations.
- The attacker must have a prompt injection vector to manipulate the agent’s inputs.
-
Vulnerability Root Cause:
- The framework’s default filter function for vector searches used unsafe string interpolation in Python’s
eval(), allowing arbitrary code execution. - A blocklist-based validator intended to restrict dangerous operations was bypassed due to Python’s flexibility (e.g., alternate syntax, class hierarchy traversal).
- The framework’s default filter function for vector searches used unsafe string interpolation in Python’s
-
Exploit Chain:
- An attacker crafts a malicious prompt (e.g.,
‘ or MALICIOUS_CODE or ‘) to escape the intended filter logic. - The payload traverses Python’s class hierarchy to dynamically load the
osmodule and execute shell commands (e.g.,calc.exe). - The exploit bypasses the blocklist by:
- Using unblocked attributes (
__name__,load_module,system). - Structuring the payload as a valid lambda expression.
- Avoiding direct use of blocked built-ins (e.g.,
eval,exec).
- Using unblocked attributes (
- An attacker crafts a malicious prompt (e.g.,
-
Mitigation:
- Microsoft patched the flaw in v1.39.4 with a four-layer defense:
- AST node-type allowlist (permitting only safe constructs).
- Function call allowlist (restricting invocable functions).
- Dangerous attributes blocklist (blocking class traversal).
- Name node restriction (limiting identifiers to the lambda parameter).
- Microsoft patched the flaw in v1.39.4 with a four-layer defense:
CVE-2026-25592: Arbitrary File Write via SessionsPythonPlugin
Affected Versions: Semantic Kernel .NET SDK < 1.71.0
Impact: Sandbox escape, arbitrary file write, and RCE
Exploitation Mechanics
-
Vulnerability Root Cause:
- The
.NET SDK’sDownloadFileAsyncfunction was accidentally exposed to the AI model via the[KernelFunction]attribute. - The function lacked path validation, allowing attackers to specify arbitrary host filesystem locations (e.g.,
Windows\Start Menu\Programs\Startup).
- The
-
Attack Chain:
- Step 1: The attacker uses prompt injection to instruct the agent to generate a malicious script inside an isolated Azure Container Apps sandbox.
- Step 2: A second prompt triggers
DownloadFileAsyncto write the script to the host’s Startup folder. - Step 3: On next login, the script executes, achieving full host compromise.
-
Mitigation:
- Microsoft removed the
[KernelFunction]attribute, revoking AI model access toDownloadFileAsync. - Added path validation (
ValidateLocalPathForDownload()) to restrict writes to permitted directories.
- Microsoft removed the
Detection and Response
Affected Systems
- CVE-2026-26030: Agents using Semantic Kernel Python < 1.39.4 with In-Memory Vector Store and default Search Plugin configurations.
- CVE-2026-25592: Agents using Semantic Kernel .NET SDK < 1.71.0.
Remediation
- Upgrade immediately to Python v1.39.4+ or .NET SDK v1.71.0+.
- Investigate potential exploitation by hunting for:
- Suspicious child processes spawned by the agent (e.g.,
cmd.exe,powershell.exe). - File writes to sensitive directories (e.g., Startup folders).
- Outbound connections from the agent host process.
- Suspicious child processes spawned by the agent (e.g.,
Key Takeaways
- AI models are not security boundaries. Tools exposed to the model define the attacker’s scope.
- Prompt injection risks escalate when agents interact with system-level tools (e.g., file operations, code execution).
- Defense in depth is critical: Combine AI-level guardrails (intent detection) with host-level monitoring (endpoint telemetry).
The vulnerabilities underscore the need for secure-by-design agent architectures, where untrusted input is treated as attacker-controlled when mapped to high-risk operations. Further research will explore similar flaws in other AI agent frameworks.
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "MIC1778197376",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of Semantic Kernel Python '
'< 1.39.4 and .NET SDK < 1.71.0',
'industry': 'Software & AI',
'location': 'Global',
'name': 'Microsoft',
'size': 'Large',
'type': 'Technology Company'}],
'attack_vector': 'Prompt Injection',
'description': 'Security researchers uncovered two severe vulnerabilities in '
'Microsoft’s Semantic Kernel, a widely used open-source '
'framework for building AI agents, that could allow attackers '
'to achieve remote code execution (RCE) or arbitrary file '
'writes via prompt injection. The flaws, tracked as '
'CVE-2026-25592 and CVE-2026-26030, highlight systemic risks '
'in AI agent frameworks where untrusted input is mapped to '
'system-level tools.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'critical vulnerabilities in widely '
'used AI framework',
'operational_impact': 'Potential full host compromise via '
'arbitrary code execution or file writes',
'systems_affected': ['AI agents using Semantic Kernel Python < '
'1.39.4',
'AI agents using Semantic Kernel .NET SDK < '
'1.71.0']},
'lessons_learned': 'AI models are not security boundaries; tools exposed to '
'the model define the attacker’s scope. Prompt injection '
'risks escalate when agents interact with system-level '
'tools. Defense in depth is critical, combining AI-level '
'guardrails with host-level monitoring.',
'post_incident_analysis': {'corrective_actions': ['Implemented four-layer '
'defense for CVE-2026-26030 '
'(AST allowlist, function '
'allowlist, attributes '
'blocklist, name node '
'restriction)',
'Removed [KernelFunction] '
'attribute and added path '
'validation for '
'CVE-2026-25592'],
'root_causes': ['Unsafe string interpolation in '
'Python’s eval() for '
'CVE-2026-26030',
'Accidental exposure of '
'DownloadFileAsync function to AI '
'model via [KernelFunction] '
'attribute for CVE-2026-25592',
'Lack of path validation in .NET '
'SDK for CVE-2026-25592']},
'recommendations': ['Upgrade to patched versions (Python v1.39.4+, .NET SDK '
'v1.71.0+)',
'Investigate potential exploitation via suspicious child '
'processes, file writes, and outbound connections',
'Adopt secure-by-design agent architectures where '
'untrusted input is treated as attacker-controlled'],
'references': [{'source': 'Security Research'}],
'response': {'containment_measures': 'Microsoft released patches (Python '
'v1.39.4+, .NET SDK v1.71.0+) to '
'mitigate vulnerabilities',
'enhanced_monitoring': 'Hunt for suspicious child processes, '
'file writes to sensitive directories, '
'and outbound connections from the agent '
'host process',
'remediation_measures': ['Upgraded to Python v1.39.4+ or .NET '
'SDK v1.71.0+',
'Added AST node-type allowlist, '
'function call allowlist, dangerous '
'attributes blocklist, and name node '
'restriction for CVE-2026-26030',
'Removed [KernelFunction] attribute and '
'added path validation for '
'CVE-2026-25592']},
'title': 'Critical Vulnerabilities in Microsoft’s Semantic Kernel Expose AI '
'Agents to Remote Code Execution',
'type': ['Remote Code Execution (RCE)', 'Arbitrary File Write'],
'vulnerability_exploited': ['CVE-2026-25592', 'CVE-2026-26030']}