Semantic Kernel CVE-2026-25592: When Prompt Injection Becomes Remote Code Execution
On May 7, 2026, Microsoft's Security blog published research disclosing two critical vulnerabilities in Semantic Kernel, the open-source framework with 27,000+ GitHub stars used to build AI agents. CVE-2026-25592 (CVSS 10.0) and CVE-2026-26030 turn prompt injection into host-level remote code execution.
A single crafted prompt was enough to launch arbitrary processes on the device running the agent. No browser exploit, no memory corruption bug, no malicious attachment. Just text.
Both vulnerabilities have been patched. But the story matters well beyond the patch.
What happened
Semantic Kernel is Microsoft's framework for building agents that wire AI models to plugins (tools). It handles the orchestration layer: routing model outputs to tool calls, parsing parameters, executing functions.
The vulnerability lives in exactly that layer. The framework parses natural language into tool schemas and passes the result into code. It trusted that output too completely.
CVE-2026-26030 (in-memory vector store): When an agent uses Semantic Kernel's Search Plugin backed by the in-memory vector store, an attacker who can inject into the agent's input stream can craft content that causes the framework to pass attacker-controlled parameters into system-level function calls. The result is RCE on the host.
Exploitation requires two conditions: a prompt injection vector into the agent (common in RAG setups, email processors, web scrapers) and the agent using the Search Plugin with the default in-memory vector store configuration.
CVE-2026-25592 (.NET SDK sandbox escape, CVSS 10.0): A more general sandbox escape in the .NET Semantic Kernel SDK. Details are more limited publicly to avoid enabling exploitation of unpatched instances, but the mechanism is similar: attacker-controlled text reaches framework internals that trust model output as safe code parameters.
Why this matters beyond the patch
Semantic Kernel is one framework. The vulnerability class is not.
Every AI agent framework that wires model output to tool execution faces the same structural risk. LangChain, CrewAI, AutoGen, any custom orchestration layer you built yourself: if your framework passes AI model output into system calls without sanitizing it first, you have a version of this problem.
The AI model is not the weak link. The model is doing exactly what it was designed to do: parse text and produce structured output. The vulnerability is in how the framework treats that output as trusted.
Microsoft's research explicitly says they are continuing the series beyond Semantic Kernel to other frameworks. We should expect more disclosures.
Who is actually at risk
If you are using Semantic Kernel, update immediately. The patched versions are:
- .NET Semantic Kernel SDK: 1.24.1 or later
- Python SDK: 1.17.1 or later
For the broader agent development community:
High risk: Agents that ingest external content (web pages, emails, documents, user-submitted text) and pass it through an orchestration framework to tool calls. This is the standard RAG pattern. It is also the standard indirect prompt injection attack surface.
Medium risk: Agents with direct user input and broad tool permissions. A user who knows the framework may craft inputs that exploit parameter trust.
Lower risk: Agents with tightly scoped tool permissions, sandboxed execution environments, and output validation layers between the model and the tool calls.
What to actually do about it
Short term (this week)
Update Semantic Kernel if you are using it. Audit any agent that uses the Search Plugin with in-memory vector store and check whether it is on an affected version.
For any framework you use: read the changelog for the last 90 days and look for security-related patches. These disclosures often happen quietly.
Medium term (this month)
Audit your trust model. Draw a line between model output and system execution. Every place that model output crosses into a system call is a potential injection surface. Map those crossings explicitly.
Apply least privilege to tools. Your agent does not need filesystem access if it only needs to query a database. Scope tool permissions to what is actually required. When a vulnerability is exploited, the blast radius is limited to what the tool can reach.
Add output validation. Before framework-parsed model output reaches a system call, validate it. Schema validation, parameter whitelisting, and rate limiting on tool calls all help. This is defense-in-depth, not a perfect fix.
Test indirect injection specifically. Most injection testing focuses on direct input. The real-world risk is indirect: content your agent ingests from external sources that contains injection payloads. Scrape a test page with injection content and run your agent against it.
Longer term
The architecture of agent security is moving toward sandboxing at the execution layer, not detection at the input layer. Classifier-based injection detection will miss novel techniques. Execution sandboxes that limit what injected instructions can actually do are a more durable defense.
Microsoft's research team is releasing more disclosures. Watch the Microsoft Security Blog and the CVE feeds for LangChain, CrewAI, and AutoGen specifically.
The uncomfortable framing
This is not a Semantic Kernel bug in the traditional sense. The framework behaved correctly by its own design: it parsed model output and passed it to tools. The bug is that its design trusted model output too completely in a world where that output can be adversarially shaped.
As agents get more capable and more connected, the attack surface grows with them. An agent that can send emails, read files, query APIs, and spawn processes is a powerful target for anyone who can influence its inputs.
The security community is still working out what "secure by default" even means for frameworks that are purpose-built to let AI models call system functions. That question is going to be revisited a lot over the next two years.
In the meantime: update your dependencies, audit your trust surfaces, and assume that anything your agent ingests from the external world is adversarial until proven otherwise.