AgentScout Logo Agent Scout

Microsoft: RCE Vulnerabilities Turn Prompts Into Shell Commands

CVE-2026-26030 (CVSS 9.8) enables RCE in Semantic Kernel via prompt injection. Immediate upgrade to 1.39.4+ required for AI agent applications.

AgentScout Β· Β· 4 min read
#microsoft #semantic-kernel #rce #prompt-injection #ai-security #cve
Analyzing Data Nodes...
SIG_CONF:CALCULATING
Verified Sources

TL;DR

Microsoft disclosed CVE-2026-26030 (CVSS 9.8), a critical remote code execution vulnerability in Semantic Kernel Python SDK that allows attackers to execute arbitrary code through prompt injection in vector store filter expressions. The vulnerability affects all versions prior to 1.39.4 and targets AI agent infrastructure directly, not web endpoints.

Key Facts

  • Who: Microsoft Security Response Center, affecting Semantic Kernel SDK users
  • What: Critical RCE vulnerability (CVSS 9.8) enabling arbitrary code execution via prompt injection
  • When: Disclosed May 7, 2026; patches available immediately
  • Impact: All AI applications using Semantic Kernel Python SDK < 1.39.4 or .NET SDK < 1.71.0

What Changed

Microsoft’s Security Response Center disclosed a critical remote code execution vulnerability in Semantic Kernel, its open-source SDK for building AI agents. CVE-2026-26030 carries a CVSS severity score of 9.8 out of 10, making it one of the most severe AI framework vulnerabilities disclosed in 2026.

The vulnerability resides in the InMemoryVectorStore component, where malicious filter expressions can be injected through user prompts. Unlike traditional injection attacks that target web application endpoints, this attack chain converts natural language input into executable Python code through the agent’s internal filter parsing logic.

β€œAn attacker who successfully exploited this vulnerability could run arbitrary code in the context of the application,” Microsoft stated in its security advisory. β€œThis could allow the attacker to install programs; view, change, or delete data; or create new accounts with full user rights.”

A second vulnerability, CVE-2026-25592, affects the .NET SDK with a path traversal flaw. Both vulnerabilities were patched in Semantic Kernel Python version 1.39.4 and .NET version 1.71.0, released immediately upon disclosure.

Security researchers from Nuka-AI disclosed multiple bypass vectors for the initial February patches, prompting the May disclosure and additional hardening measures.

Why It Matters

The attack chain mechanics distinguish this vulnerability from traditional web security threats:

Attack VectorTraditional XSSSemantic Kernel RCE
Entry PointWeb form inputAgent prompt input
Target LayerBrowser DOMPython/.NET runtime
Execution ContextClient-side JavaScriptServer-side code
Blast RadiusUser sessionApplication server
Exploitation ComplexityMediumLow

Attack Chain Breakdown:

  1. Prompt Input: Attacker crafts a natural language prompt containing malicious filter syntax
  2. Filter Expression: The prompt is passed to InMemoryVectorStore.filter() without proper sanitization
  3. Code Execution: Filter expression is evaluated as Python code via eval() or equivalent
  4. Runtime Access: Attacker gains arbitrary code execution on the server hosting the AI agent

The vulnerability class is particularly concerning because:

  • No Input Validation Bypass Required: The filter expression syntax is intended functionality, making detection difficult
  • Agent-Specific Attack Surface: Traditional WAF rules do not inspect agent prompt flows
  • High Trust Context: AI agents often run with elevated permissions to access tools, APIs, and databases
  • Supply Chain Implications: Organizations embedding Semantic Kernel in production agents face immediate exposure

According to Microsoft’s security blog, the attack requires no authentication for applications that accept untrusted prompts, which includes most customer-facing AI agent deployments.

πŸ”Ί Scout Intel: What Others Missed

Confidence: high | Novelty Score: 82/100

The deeper security implication extends beyond the immediate patch. This vulnerability represents a new attack class: prompt-to-code translation exploits. Traditional security models assume a boundary between user input and code execution, but AI agent frameworks deliberately blur this boundary through natural language interfaces. Semantic Kernel’s filter expression mechanism is not a bugβ€”it’s a feature designed to let developers write expressive queries. The vulnerability exploits this intentional design pattern, making it difficult to distinguish legitimate use from malicious injection without breaking functionality.

Key Implication: Enterprise security teams must audit all AI agent frameworksβ€”not just Semantic Kernelβ€”for similar prompt-to-code translation patterns. LangChain, CrewAI, and OpenAI’s Agents SDK all implement comparable filter/search mechanisms that may contain equivalent vulnerabilities. The attack surface is architectural, not incidental.

What This Means

For AI Application Developers

Immediate action is required for any application using Semantic Kernel Python SDK before version 1.39.4 or .NET SDK before version 1.71.0. The patch introduces strict input sanitization for filter expressions, but developers should additionally:

  • Implement prompt content filtering before filter expression generation
  • Audit agent permissions and apply principle of least privilege
  • Enable audit logging for all filter expression evaluations
  • Consider sandboxing agent runtimes in containerized environments

For Enterprise Security Teams

This disclosure should trigger a broader audit of AI agent infrastructure:

  1. Inventory all AI frameworks in production environments, including Semantic Kernel, LangChain, CrewAI, AutoGen, and OpenAI Agents SDK
  2. Review prompt handling code for similar filter expression patterns
  3. Update security monitoring to include agent prompt flows, which traditional WAFs do not inspect
  4. Assess blast radius: Agents with database, API, or file system access multiply the potential impact

What to Watch

Microsoft’s disclosure may be the first of many in this vulnerability class. Security researchers at Nuka-AI have demonstrated that the attack pattern is replicable across multiple agent frameworks. Expect additional CVEs targeting prompt-to-code translation mechanisms in competing AI agent SDKs throughout 2026.

Related Coverage:

Sources

Microsoft: RCE Vulnerabilities Turn Prompts Into Shell Commands

CVE-2026-26030 (CVSS 9.8) enables RCE in Semantic Kernel via prompt injection. Immediate upgrade to 1.39.4+ required for AI agent applications.

AgentScout Β· Β· 4 min read
#microsoft #semantic-kernel #rce #prompt-injection #ai-security #cve
Analyzing Data Nodes...
SIG_CONF:CALCULATING
Verified Sources

TL;DR

Microsoft disclosed CVE-2026-26030 (CVSS 9.8), a critical remote code execution vulnerability in Semantic Kernel Python SDK that allows attackers to execute arbitrary code through prompt injection in vector store filter expressions. The vulnerability affects all versions prior to 1.39.4 and targets AI agent infrastructure directly, not web endpoints.

Key Facts

  • Who: Microsoft Security Response Center, affecting Semantic Kernel SDK users
  • What: Critical RCE vulnerability (CVSS 9.8) enabling arbitrary code execution via prompt injection
  • When: Disclosed May 7, 2026; patches available immediately
  • Impact: All AI applications using Semantic Kernel Python SDK < 1.39.4 or .NET SDK < 1.71.0

What Changed

Microsoft’s Security Response Center disclosed a critical remote code execution vulnerability in Semantic Kernel, its open-source SDK for building AI agents. CVE-2026-26030 carries a CVSS severity score of 9.8 out of 10, making it one of the most severe AI framework vulnerabilities disclosed in 2026.

The vulnerability resides in the InMemoryVectorStore component, where malicious filter expressions can be injected through user prompts. Unlike traditional injection attacks that target web application endpoints, this attack chain converts natural language input into executable Python code through the agent’s internal filter parsing logic.

β€œAn attacker who successfully exploited this vulnerability could run arbitrary code in the context of the application,” Microsoft stated in its security advisory. β€œThis could allow the attacker to install programs; view, change, or delete data; or create new accounts with full user rights.”

A second vulnerability, CVE-2026-25592, affects the .NET SDK with a path traversal flaw. Both vulnerabilities were patched in Semantic Kernel Python version 1.39.4 and .NET version 1.71.0, released immediately upon disclosure.

Security researchers from Nuka-AI disclosed multiple bypass vectors for the initial February patches, prompting the May disclosure and additional hardening measures.

Why It Matters

The attack chain mechanics distinguish this vulnerability from traditional web security threats:

Attack VectorTraditional XSSSemantic Kernel RCE
Entry PointWeb form inputAgent prompt input
Target LayerBrowser DOMPython/.NET runtime
Execution ContextClient-side JavaScriptServer-side code
Blast RadiusUser sessionApplication server
Exploitation ComplexityMediumLow

Attack Chain Breakdown:

  1. Prompt Input: Attacker crafts a natural language prompt containing malicious filter syntax
  2. Filter Expression: The prompt is passed to InMemoryVectorStore.filter() without proper sanitization
  3. Code Execution: Filter expression is evaluated as Python code via eval() or equivalent
  4. Runtime Access: Attacker gains arbitrary code execution on the server hosting the AI agent

The vulnerability class is particularly concerning because:

  • No Input Validation Bypass Required: The filter expression syntax is intended functionality, making detection difficult
  • Agent-Specific Attack Surface: Traditional WAF rules do not inspect agent prompt flows
  • High Trust Context: AI agents often run with elevated permissions to access tools, APIs, and databases
  • Supply Chain Implications: Organizations embedding Semantic Kernel in production agents face immediate exposure

According to Microsoft’s security blog, the attack requires no authentication for applications that accept untrusted prompts, which includes most customer-facing AI agent deployments.

πŸ”Ί Scout Intel: What Others Missed

Confidence: high | Novelty Score: 82/100

The deeper security implication extends beyond the immediate patch. This vulnerability represents a new attack class: prompt-to-code translation exploits. Traditional security models assume a boundary between user input and code execution, but AI agent frameworks deliberately blur this boundary through natural language interfaces. Semantic Kernel’s filter expression mechanism is not a bugβ€”it’s a feature designed to let developers write expressive queries. The vulnerability exploits this intentional design pattern, making it difficult to distinguish legitimate use from malicious injection without breaking functionality.

Key Implication: Enterprise security teams must audit all AI agent frameworksβ€”not just Semantic Kernelβ€”for similar prompt-to-code translation patterns. LangChain, CrewAI, and OpenAI’s Agents SDK all implement comparable filter/search mechanisms that may contain equivalent vulnerabilities. The attack surface is architectural, not incidental.

What This Means

For AI Application Developers

Immediate action is required for any application using Semantic Kernel Python SDK before version 1.39.4 or .NET SDK before version 1.71.0. The patch introduces strict input sanitization for filter expressions, but developers should additionally:

  • Implement prompt content filtering before filter expression generation
  • Audit agent permissions and apply principle of least privilege
  • Enable audit logging for all filter expression evaluations
  • Consider sandboxing agent runtimes in containerized environments

For Enterprise Security Teams

This disclosure should trigger a broader audit of AI agent infrastructure:

  1. Inventory all AI frameworks in production environments, including Semantic Kernel, LangChain, CrewAI, AutoGen, and OpenAI Agents SDK
  2. Review prompt handling code for similar filter expression patterns
  3. Update security monitoring to include agent prompt flows, which traditional WAFs do not inspect
  4. Assess blast radius: Agents with database, API, or file system access multiply the potential impact

What to Watch

Microsoft’s disclosure may be the first of many in this vulnerability class. Security researchers at Nuka-AI have demonstrated that the attack pattern is replicable across multiple agent frameworks. Expect additional CVEs targeting prompt-to-code translation mechanisms in competing AI agent SDKs throughout 2026.

Related Coverage:

Sources

z49na1artskmcfhxrvl0jβ–ˆβ–ˆβ–ˆβ–ˆ97hpsmoguw59lfkwmart1j900ot7nnmβ–‘β–‘β–‘zwsednq200nkdl8d33rgzw1yaoas7e4nβ–‘β–‘β–‘a2lvxtufh1i3ns4omnnjzagopye555β–‘β–‘β–‘xg0sdc6akzjcyotb73qg55ofxftlga9β–ˆβ–ˆβ–ˆβ–ˆ0okhogf1f4vsu3fgmbz4tge60emsz1v1dβ–‘β–‘β–‘bmv53l0j66sb3ojtv471mgas1pa6p5hr5β–‘β–‘β–‘f3w3pjc3ayuqcekjd8xsfrq0lvn9rxβ–ˆβ–ˆβ–ˆβ–ˆz6uiv9gnmup1qse020du5lyy5jho8yknlβ–‘β–‘β–‘z4s17gto9kc7bua1zaa4oxrhzs1gwszbβ–‘β–‘β–‘oa271sy2gtg8o5cts0djvayix4hnav1oβ–‘β–‘β–‘y6tql7iuulourajfxyh24gsyb8cssjqboβ–‘β–‘β–‘p5eqalzipccgk3n1v8ghtkkqbtbq3v7kβ–ˆβ–ˆβ–ˆβ–ˆxen79a6ffphbtlyh4lovjoa6auo10lqqβ–ˆβ–ˆβ–ˆβ–ˆrsk6az5je0jc33rn4pzuqoxkdjf05rorjβ–‘β–‘β–‘hx6e6j3rl04lmy7m2zkgo2oi39328iauβ–ˆβ–ˆβ–ˆβ–ˆexwjtp41wjk1b7gkm37lnw1i03yjihmβ–‘β–‘β–‘o0nb3lj1c7t559w71953wvs9vrbml0ovsβ–‘β–‘β–‘xy30f4dpa3r0nmtyw4fpmg5v9dwppiuqβ–ˆβ–ˆβ–ˆβ–ˆn6cedz6uymmis7cm7howgb3dpz62m5pr3β–‘β–‘β–‘fjwu4het91mzvg3nk7esrrd4omw9fk768β–‘β–‘β–‘6xrfj3xmaneiere5kg5gnbfq1r6jjq9weβ–ˆβ–ˆβ–ˆβ–ˆmqu1s1fofykb4w6364o0jmgow1217etd7β–‘β–‘β–‘7zpsnu17ab7evj7havgvwrnqh0ezslcbβ–ˆβ–ˆβ–ˆβ–ˆ3y4q7zp68buwmtoz1chlopiwlqjpcs8tβ–‘β–‘β–‘xei9d5be3ifp9379vr8xc6orlwvm53cβ–‘β–‘β–‘1qpgxiiyg8villwlej5nubt34uwbwkyhfβ–ˆβ–ˆβ–ˆβ–ˆ1if35n4hjn2xz2vg75mzi2lct8r9tlb2β–ˆβ–ˆβ–ˆβ–ˆ5hbkjdeupb4l2z78a4wmdrrv0z1lvtaurβ–‘β–‘β–‘jfnck1njh5lajh68reypdjjdz2ss74bβ–ˆβ–ˆβ–ˆβ–ˆ3lcyeafaexvt0hosh3impmite8mrmn3uβ–ˆβ–ˆβ–ˆβ–ˆqybuj36s93gih0wnn9i82r4h566bptib7β–‘β–‘β–‘jk1ugu2vldtn9ga87e95saeytikd9ml8β–‘β–‘β–‘li0hke7wn2wqp00zaui1d0fmcw3a53aβ–‘β–‘β–‘g51hr958165l1sbgbryoz2njpuuegzyxβ–‘β–‘β–‘1dj9tvlcani59qyler8q9jkr3w7v9zg3kβ–‘β–‘β–‘lr1wm51czoywhvccmimuse26wqknniiβ–‘β–‘β–‘hglsyno0fl6tf3atmcjtiibeje3ceei27β–‘β–‘β–‘0i80v4brc4dni5wumrknrts71fdbtgy5jβ–‘β–‘β–‘rgjwvt1rt0np7qkokb98wup3zwl4ovqβ–ˆβ–ˆβ–ˆβ–ˆ7u7eloqhp5247kvbfmhekpxpfro69105aβ–ˆβ–ˆβ–ˆβ–ˆv6yx1nm9zgudjj1s7oallm5bd22k68β–ˆβ–ˆβ–ˆβ–ˆ7awppdzwj7w9eyfu3z8c2cg4w6pn0crgdβ–ˆβ–ˆβ–ˆβ–ˆzn7xd2jevnqq2vv6wyr8fjbo36h0z7jk5β–‘β–‘β–‘51nmdxu7km3ib5ftfcstvlw5g6j47z23rβ–ˆβ–ˆβ–ˆβ–ˆ2iyqgp0jvf5gm4rw7jxzg438l5ph98525β–‘β–‘β–‘6wsa4r2s9tzdi7mntfqlsvnejbzncoyβ–‘β–‘β–‘q9sqjs06cteml0tbfwn617lptxo7yjdβ–‘β–‘β–‘s8soqxej7lm69wumdid4ndzrt9gb54alpβ–ˆβ–ˆβ–ˆβ–ˆ2uo55n0nk1zktdqeghtvu6n2oecz04ajβ–ˆβ–ˆβ–ˆβ–ˆ1eb8959lndx