Microsoft Semantic Kernel Remote Code Execution: Prompt Injection to Python Eval Sink in AI Agent Frameworks
Date: 2026-05-26
Tags: prompt-injection, malicious-tool, mcp-security
Executive Summary
Microsoft disclosed two critical vulnerabilities in Semantic Kernel, an open-source framework for building AI agents with over 27,000 GitHub stars, that allow attackers to cross from prompt injection to code execution primitives. CVE-2026-26030 affects Python package semantic-kernel prior to version 1.39.4, particularly when using the In-Memory Vector Store with filter functionality. Upgrading to version 1.39.4 or higher mitigates the risk.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Semantic Kernel RCE Exploitation Chain |
| Attribution | Unknown - disclosure only, no documented exploitation (confidence: none) |
| Target | Organizations deploying Microsoft Semantic Kernel framework in AI agent applications |
| Vector | Prompt injection targeting unsafe vector store filter operations leading to arbitrary Python code execution via eval() |
| Status | active |
| First Observed | 2026-05-07 |
Detailed Findings
Once an AI model is wired to tools, prompt injection draws a thin line between being just a content security problem and becoming a code execution primitive. The LLM is not a security boundary; the tools exposed define the attacker's affected scope, and any tool parameter the model can influence must be treated as attacker-controlled input. Defending AI agents requires acknowledging that AI models aren't security boundaries; security teams must correlate signals across two layers: the AI model level (intent detection through meta prompts and content safety filters) and the host level (execution detection), with traditional endpoint defense detecting anomalous behavior such as an AI agent process spawning command lines or dropping scripts into Startup folders.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Prompt Injection | T1059 | Attacker crafts malicious prompts that bypass LLM guardrails and influence tool parameters |
| Code Execution | T1059.006 | Unsafe eval() in vector store filter allows arbitrary Python AST traversal and execution |
IOCs
Domains
_Vulnerable versions: Python semantic-kernel < 1.39.4; .NET SDK < 1.71.0. No IOCs published for exploitation in the wild._
Full URL Paths
_Vulnerable versions: Python semantic-kernel < 1.39.4; .NET SDK < 1.71.0. No IOCs published for exploitation in the wild._
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
semantic-kernelDetection Recommendations
Defenders should define the vulnerable window from the moment a vulnerable Semantic Kernel version was deployed until version 1.39.4 or later was installed, and focus investigation on that time range. Monitor for: (1) Python processes spawning eval() with untrusted input; (2) Semantic Kernel framework versions < 1.39.4 or .NET SDK < 1.71.0 in production; (3) Unusual AST traversal patterns in application logs; (4) Unexpected subprocess execution from AI agent processes.
References
- [Microsoft Security Blog] When prompts become shells: RCE vulnerabilities in AI agent frameworks (2026-05-07) — https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/
- [CVE Details / NVD] CVE-2026-26030: Semantic Kernel Python Vulnerable Vector Store Filter (2026-05-07) — https://nvd.nist.gov/vuln/detail/CVE-2026-26030