By ByteBot
A single crafted prompt launched calc.exe on the host running a Semantic Kernel AI agent. No exploit kit. No malicious attachment. Just text. On May 7, 2026, Microsoft disclosed two critical vulnerabilities that make this possible — and in doing so, confirmed something the security community has been warning about for months: once you wire a language model to tools, prompt injection stops being an annoyance and starts being a code execution primitive.
CVE-2026-25592: A Mislabeled Helper Becomes a CVSS 10.0 File Write
The .NET vulnerability lives in SessionsPythonPlugin — Semantic Kernel’s built-in plugin for running AI-generated Python code inside Azure Container Apps dynamic sessions. One internal method, DownloadFileAsync, was accidentally annotated with [KernelFunction]. That attribute is how Semantic Kernel advertises tools to the LLM, and it exposed the method’s full parameter schema to the model — including localFilePath, which became entirely AI-controlled.
The attack chain is straightforward: an attacker embeds malicious instructions in any document, email, or web content the agent processes. The LLM is told to call DownloadFileAsync with a payload destination in the Windows Startup folder. Semantic Kernel auto-invokes the function without prompting the user. On the next restart, the payload runs. Full remote code execution on the host — from one mis-tagged annotation.
Fix: Upgrade to Microsoft.SemanticKernel.Core >= 1.71.0. The NVD entry for CVE-2026-25592 has full affected version details.
CVE-2026-26030: eval() Meets Attacker-Controlled Content
The Python SDK vulnerability is more fundamental. InMemoryVectorStore — a common choice for RAG prototypes that frequently winds up in production — builds its filter expressions as Python lambdas and executes them with eval(). The filter input can come from attacker-controlled content in the vector store itself.
The result: a malicious record injected into a RAG corpus can execute arbitrary Python code the moment a search query triggers filtering. Any agent with access to disk, network, or credentials is exposed. If you are running InMemoryVectorStore in production and have not patched, stop using it until you do. CVE-2026-26030 (CVSS 9.8) affects all Python SDK releases below 1.39.4.
Fix: pip install "semantic-kernel>=1.39.4". In production, replace InMemoryVectorStore with an audited backend — Azure AI Search, Qdrant, or Chroma all avoid this pattern.
The Fix That Cuts the Attack Chain Entirely
Patching the specific CVEs is mandatory. But Microsoft’s security team identified a control that would have prevented both attacks from landing: disabling auto-invocation.
When auto-invocation is enabled — the default in most agent frameworks — the LLM can call any registered tool without your code explicitly triggering it. Disable it, and the model can only recommend a tool call; your code decides whether to execute it. That breaks prompt injection attacks at the execution boundary, not the parsing layer.
“The lowest-effort, highest-leverage hardening is to disable auto-invocation on any agent that can reach disk, shell, or production data, and run those agents in manual function calling mode.”
Microsoft Security Blog, May 7, 2026
This Is Not Just a Semantic Kernel Problem
Microsoft was unusually direct about the broader implications: “Readers should expect analogous flaws in LangChain, CrewAI, AutoGen and other agent frameworks.” That warning is worth taking seriously.
The underlying pattern is the same across every agent framework: LLMs are given access to rich tool registries; external content can influence what those LLMs do; frameworks that pass LLM-controlled parameters to sensitive functions without validation are vulnerable. Semantic Kernel made it concrete with two CVSS 9.8+ CVEs. Every other framework has the same attack surface. The same week saw PraisonAI exploited within four hours of disclosure and a critical OpenClaw RCE emerge via a malicious link. These are not isolated incidents.
What to Do Today
- Upgrade immediately: Python SDK to
semantic-kernel >= 1.39.4; .NET SDK toMicrosoft.SemanticKernel.Core >= 1.71.0 - Disable auto-invocation on any agent with access to disk, shell, credentials, or production data
- Audit [KernelFunction] tags — verify no unintended methods are exposed to your LLM
- Remove InMemoryVectorStore from production — it was not designed for untrusted input at scale
- Never pass LLM-controlled strings to eval() — this principle extends well beyond Semantic Kernel
The patches are out. The attack vectors are public. The exploitation window is open right now for any unpatched Semantic Kernel instance in production. The GitHub security advisory has the full disclosure timeline and proof-of-concept details.
