OPEN LINK ↗
// 1h agoSECURITY INCIDENT
Semantic Kernel flaws enable prompt-to-RCE
Microsoft disclosed two fixed vulnerabilities in Semantic Kernel that could turn prompt injection into host-level code execution or arbitrary file write, depending on the agent configuration. The guidance is straightforward: upgrade affected Python and .NET packages and treat model-controlled tool inputs as attacker-controlled data.
// ANALYSIS
This is a clean example of the real AI-agent security failure mode: the model is not the boundary, the tools are. Once prompt-driven output can steer evals, file writes, or plugin calls, a chat interface becomes an execution surface.
- –CVE-2026-26030 affects Python Semantic Kernel before 1.39.4 when the In-Memory Vector Store search path is exposed; Microsoft says upgrading removes the risky filter path.
- –CVE-2026-25592 affects .NET Semantic Kernel SDK versions older than 1.71.0 and shows how a sandboxed plugin can still become a write primitive if AI can reach it.
- –The broader lesson is that framework-level convenience abstractions can concentrate risk across every downstream agent built on top of them.
- –Defenders should inventory exposed tools, audit auto-invoked functions, and look for host telemetry like suspicious child processes, outbound connections, and persistence artifacts.
- –This raises the bar for agent framework design: allowlists, strict schema validation, and explicit human approval for sensitive tool calls are not optional extras.
// TAGS
securityagentframeworktool-useprompt-engineeringsemantic-kernel
DISCOVERED
1h ago
2026-05-10
PUBLISHED
1h ago
2026-05-10
RELEVANCE
8/ 10