Microsoft Semantic Kernel CVE-2026-26030/25592 — Prompt Injection to RCE

AI relevance: Microsoft's Semantic Kernel agent framework contains two critical flaws where attacker-controlled retrieval content is routed directly into a Python eval() call and an unsafe host-side file download, turning indirect prompt injection into host-level remote code execution.

• CVE-2026-26030 (CVSS 9.8) lives in the Python SDK's InMemoryVectorStore component. The default filter expression is built as a Python lambda and executed via eval(); an attacker who controls any indexed field (e.g. a "city" value) can break out of the string and run arbitrary code inside the agent process.
• CVE-2026-25592 affects the .NET SDK's SessionsPythonPlugin, which exposed a sandbox-to-host file download method as a callable kernel function. A planner steered by prompt injection can pick up that tool and write attacker-chosen files outside the Azure Container Apps sandbox.
• Both vulnerabilities were disclosed by Microsoft on May 7, 2026, with the companion research post "When prompts become shells" documenting the attack path from a single retrieved document to a process launch on the agent host.
• Patches shipped the same day: semantic-kernel 1.39.4 (Python) and 1.71.0 (.NET). The NVD entry for CVE-2026-26030 confirms the 9.8 rating.
• The core failure pattern is architectural: the boundary between retrieved content and executable code dissolves when retrieval feeds tool arguments and tool arguments feed an interpreter. Traditional input sanitization sits outside the agent runtime and never sees the payload.
• Semantic Kernel powers production agents in Microsoft 365 Copilot, Azure RAG stacks, and enterprise automation pipelines — the blast radius of a single compromised retrieval source can include every downstream agent that queries it.

Why it matters

This is a textbook case of the confused-deputy problem at the agent-framework level. Any organization using the default in-memory vector store or the Container Apps Python plugin without upgrading is exposed — the only prerequisite is an attacker-influenced field reaching the index. With CVSS 9.8 and reproducible PoC code published by Microsoft, unpatched deployments are an immediate priority.

What to do

• Upgrade semantic-kernel to ≥1.39.4 (Python) or ≥1.71.0 (.NET) immediately.
• Audit any RAG pipelines that ingest user-controlled or external data into vector stores — verify that no downstream agents still run unpatched SDK versions.
• Apply runtime guardrails that intercept tool calls before they reach host primitives; the eval-to-RCE path cannot be reliably blocked by input sanitization alone.

Sources

• Microsoft Security Blog: When prompts become shells
• Particula: Semantic Kernel CVE-2026-25592 prompt injection RCE analysis
• NVD entry for CVE-2026-26030