Semantic Kernel CVE-2026-26030: Prompt Injection to RCE in Microsoft AI Agent Framework—eval() Filter Vulnerability Affects Python SDK < 1.39.4
Date: 2026-05-09
Tags: malicious-tool, prompt-injection
Executive Summary
Microsoft disclosed on May 7, 2026, that two patched vulnerabilities in its Semantic Kernel agent framework could let prompt injection become remote code execution or arbitrary host file writes in affected Python and .NET agent deployments. CVE-2026-26030 affected the Python Semantic Kernel package before version 1.39.4 under specific conditions. An agent had to use the In-Memory Vector Store as backend for a Search Plugin with default filtering behavior; when those conditions aligned, a single crafted prompt could lead to host-level remote code execution.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Semantic Kernel Python Agent Framework RCE Vulnerability |
| Attribution | Vulnerability (not attributed to threat actor) (confidence: none) |
| Target | Organizations deploying Python-based AI agents with Semantic Kernel < 1.39.4, especially those using InMemoryVectorStore with default configuration |
| Vector | Prompt injection → eval() code execution in filter expressions |
| Status | active |
| First Observed | 2026-02-19 |
Detailed Findings
The default filter was built as a Python lambda expression and executed with eval(), with the city value interpolated into the expression. The payload breaks out of the filter string and walks Python's MRO: () → tuple → object → __subclasses__() → BuiltinImporter → os.system(). calc.exe (or any arbitrary command) executes on the host. The second vulnerability, CVE-2026-25592, affected the .NET Semantic Kernel SDK before version 1.71.0, centered on SessionsPythonPlugin allowing agents to execute Python code inside Azure Container Apps. DownloadFileAsync was accidentally exposed to the model as a callable kernel function, and without adequate path validation, a hostile prompt could steer the agent into writing a file somewhere dangerous.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Prompt Injection | T1598 | Attacker crafts input to agent that bypasses model filtering and injects code execution commands |
| Code Injection | T1059 | Python eval() sink executes attacker-controlled code via filter expression |
| Execution | T1059.001 | os.system() and arbitrary Python code execution via deserialization |
IOCs
Domains
_Vulnerability tracking; affected package versions are the primary IOC_
Full URL Paths
_Vulnerability tracking; affected package versions are the primary IOC_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
semantic-kernel<1.39.4 (Python)
semantic-kernel<1.71.0 (.NET)Detection Recommendations
Inventory all Semantic Kernel deployments and immediately upgrade Python SDK to ≥1.39.4 and .NET SDK to ≥1.71.0. Monitor for eval() calls in filter expressions in agent logs. Implement prompt input validation and sanitization before passing to Search Plugin. Avoid InMemoryVectorStore in production; use production-grade vector databases. Implement code execution sandboxing for agent operations. Monitor for unexpected file writes or system command execution from Python agent processes.
References
- [Microsoft Security Blog] When prompts become shells: RCE vulnerabilities in AI agent frameworks (2026-05-07) — https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/
- [GitHub Security Advisory] GHSA-xjw9-4gw8-4rqx: Microsoft Semantic Kernel InMemoryVectorStore RCE (2026-02-19) — https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-xjw9-4gw8-4rqx
- [NVD] CVE-2026-26030 Detail (2026-02-19) — https://nvd.nist.gov/vuln/detail/CVE-2026-26030