← Back to feed
2026-05-18 Prompt InjectionMcp Security TLP:CLEAR

Microsoft Semantic Kernel Critical RCE Vulnerabilities (CVE-2026-25592, CVE-2026-26030)—Prompt Injection to Remote Code Execution in AI Agent Frameworks

Date: 2026-05-18
Tags: prompt-injection, mcp-security

Executive Summary

Microsoft disclosed on May 7, 2026, two patched vulnerabilities in Semantic Kernel agent framework that could let prompt injection become remote code execution or arbitrary host file writes in affected Python and .NET deployments. CVE-2026-25592 (CVSS 10.0) lets a prompt-injected Semantic Kernel agent escape its Azure Container Apps Python sandbox by abusing DownloadFileAsync, which was accidentally tagged [KernelFunction] and exposed to the LLM with no path validation.

Campaign Summary

FieldDetail
Campaign / MalwareSemantic Kernel Prompt Injection to RCE
AttributionDesign Flaw (confidence: high)
TargetOrganizations using Microsoft Semantic Kernel .NET SDK <1.71.0 and Python SDK <1.39.4 to build AI agents
VectorPrompt injection via untrusted user input; LLM-controlled function parameters bypass validation
Statusactive
First Observed2026-05-07

Detailed Findings

On May 7, 2026, Microsoft disclosed CVE-2026-25592, a CVSS 10.0 sandbox-escape vulnerability in the .NET Semantic Kernel SDK, alongside CVE-2026-26030 in the Python SDK's in-memory vector store. CVE-2026-25592 affected .NET SDK <1.71.0 in SessionsPythonPlugin, where DownloadFileAsync was accidentally exposed to the model as a callable kernel function; its localFilePath parameter determined where data would be written on the host, and without adequate path validation, a hostile prompt could steer the agent into writing a file somewhere dangerous. CVE-2026-26030 affected Python SDK <1.39.4 where the default filter was built as a Python lambda expression and executed with eval(), with the city value interpolated into the expression. Microsoft characterises both flaws as systemic of agentic-AI patterns that 'trust LLM-controlled parameters without explicit validation'.

MITRE ATT&CK Mapping

TechniqueIDContext
Prompt InjectionT1598.004Attacker embeds malicious instructions in user input or documents processed by AI agent
Remote Code ExecutionT1059LLM-controlled function calls enable arbitrary code execution via eval() or file operations
Sandbox EscapeT1548Privilege escalation from containerized Python environment to host system

IOCs

Domains

_Vulnerable versions: .NET SDK <1.71.0, Python SDK <1.39.4; PoC available at https://github.com/amiteliahu/AIAgentCTF/tree/main/CVE-2026-26030_

Full URL Paths

_Vulnerable versions: .NET SDK <1.71.0, Python SDK <1.39.4; PoC available at https://github.com/amiteliahu/AIAgentCTF/tree/main/CVE-2026-26030_

Splunk Format

_No IOCs available for Splunk query_

Package Indicators

Microsoft.SemanticKernel.Core
semantic-kernel

Detection Recommendations

Immediately audit all Semantic Kernel deployments for vulnerable versions via dependency scanning; disable AutoInvokeKernelFunctions on agents with disk or shell reach; implement manual function calling mode with explicit validation of LLM-proposed tool invocations before execution; validate all LLM-controlled parameters with allowlists at the framework layer, not in prompts; run agents in sandboxes with least-privilege filesystem and network access; monitor for unusual file operations or child process spawning from agent processes.

References