Microsoft Semantic Kernel CVE-2026-26030: Prompt Injection to RCE in Agentic AI Frameworks—Eval() Filter Bypasses Enable Code Execution Chains
Date: 2026-05-12
Tags: prompt-injection, mcp-security, malicious-tool
Executive Summary
Microsoft discovered a vulnerable path in Semantic Kernel that could turn prompt injection into host-level remote code execution (RCE). A single prompt was enough to launch calc.exe on the device running an AI agent, with no browser exploit, malicious attachment, or memory corruption bug needed. Microsoft identified and disclosed two critical vulnerabilities: CVE-2026-25592 and CVE-2026-26030, which have since been fixed and could allow an attacker to achieve unauthorized code execution by leveraging injection attacks specifically targeted at agents built within the framework. Your agent is vulnerable to CVE-2026-26030 if it uses the Python package semantic-kernel running a framework version prior to 1.39.4.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Semantic Kernel Prompt Injection RCE Exploitation (Proof-of-Concept/Vulnerability) |
| Attribution | Microsoft Security Research; vulnerability disclosure (confidence: high) |
| Target | Enterprises running AI agents built on Microsoft Semantic Kernel (27,000+ GitHub stars); developers integrating Semantic Kernel with tool-calling and RAG systems |
| Vector | Prompt injection via crafted LLM responses designed to manipulate agent tool-calling behavior; eval() filter bypass via Python AST-traversal payloads |
| Status | patched |
| First Observed | 2026-05-07 |
Detailed Findings
Exploitation of this vulnerability requires two conditions: the attacker must have a prompt injection vector allowing influence over the agent's inputs, and the targeted agent must have the Search Plugin backed by In-Memory Vector Store functionality using the default configuration. The attack requires crafting a prompt injection that not only bypasses the agent's natural language defenses but also smuggles a Python AST-traversal payload through the vulnerable eval() sink. Security teams must correlate signals across two layers: the AI model level (intent detection through meta prompts and content safety filters) and the host level (execution detection). If an attacker bypasses the AI model guardrails, traditional endpoint defense must be in place to detect anomalous behavior, such as an AI agent process suddenly spawning command lines or dropping scripts into Startup folders.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Prompt Injection | T1593 | Attacker crafts malicious prompts to manipulate LLM behavior and agent tool selection |
| Exploitation of Software Vulnerability | T1190 | Unsafe eval() function in Python SDK allows AST-traversal payload execution |
| Remote Code Execution | T1059 | Arbitrary command execution on the system running the AI agent process |
| Defense Evasion via Obfuscation | T1027 | Python AST manipulation to evade input validation and filter bypasses |
IOCs
Domains
_Vulnerability affects semantic-kernel Python SDK versions prior to 1.39.4. Microsoft has released patches. No active exploitation campaigns reported in the wild; this is primarily a designer flaw with proof-of-concept demonstration._
Full URL Paths
_Vulnerability affects semantic-kernel Python SDK versions prior to 1.39.4. Microsoft has released patches. No active exploitation campaigns reported in the wild; this is primarily a designer flaw with proof-of-concept demonstration._
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
semantic-kernel<1.39.4 (Python SDK)Detection Recommendations
Upgrade semantic-kernel to version 1.39.4 or later immediately; implement host-level endpoint detection and response (EDR) to monitor for unexpected process spawning from AI agent processes; log all LLM interactions and tool calls to identify anomalous patterns; use input validation schemas to enforce type safety for all agent tool parameters; implement code execution guardrails that require human approval for sensitive operations; scan for CVE-2026-26030 in your Semantic Kernel deployments using dependency scanning tools.
References
- [Microsoft Security Blog] When Prompts Become Shells: RCE Vulnerabilities in AI Agent Frameworks (2026-05-07) — https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/
- [CVSS/NVD] CVE-2026-26030 - Semantic Kernel Python eval() RCE (2026-05-07) — https://nvd.nist.gov/vuln/detail/CVE-2026-26030