Prompt Injection Achieves Remote Code Execution in Semantic Kernel Agent Framework

Overview

Microsoft’s Defender Security Research Team has disclosed two critical vulnerabilities in Semantic Kernel, one of the most widely adopted AI agent orchestration frameworks, revealing how prompt injection can escalate directly to remote code execution (RCE). The findings represent a landmark moment in AI security: vulnerabilities in the agentic layer are no longer theoretical content risks — they are live execution risks capable of granting attackers shell-level access.

The two CVEs — CVE-2026-26030 (In-Memory Vector Store) and CVE-2026-25592 (Arbitrary File Write via SessionsPythonPlugin) — were responsibly disclosed and patched before publication.

Technical Analysis

The root cause in both cases is a trust boundary failure between the LLM output layer and the plugin execution layer. AI agent frameworks parse natural language into structured tool call schemas. Semantic Kernel then maps these schemas directly to system-level operations — without sufficient validation that the parsed parameters are safe.

CVE-2026-26030 (In-Memory Vector Store): An attacker embedding adversarial content in data ingested by the vector store can manipulate retrieval results, injecting malicious tool parameters into the agent’s reasoning context. This allows the attacker to steer subsequent plugin calls with attacker-controlled values.

CVE-2026-25592 (Arbitrary File Write via SessionsPythonPlugin): The SessionsPythonPlugin, designed to allow agents to execute Python code, did not adequately sanitise file path parameters derived from LLM output. A crafted prompt injection payload could cause the agent to write attacker-controlled content to arbitrary filesystem paths, enabling a path traversal-to-RCE attack chain.

The attack chain is illustrative:

1. Attacker embeds prompt injection payload in external content (e.g., a document, web page, or database record)
2. Agent ingests and processes the content
3. LLM parses the adversarial instruction and generates a tool call with attacker-controlled parameters
4. Framework executes the tool without validating parameter provenance
5. Arbitrary file write or code execution occurs

Framework Mapping

Impact Assessment

The systemic nature of this risk is what elevates severity to critical. Semantic Kernel, LangChain, and CrewAI collectively underpin thousands of enterprise AI applications. A vulnerability in the framework layer multiplies across every application built on top of it. Affected parties include:

• Enterprise developers using Semantic Kernel to build document processing, coding, or data retrieval agents
• Cloud-hosted AI services where agents have access to persistent storage or code execution environments
• Any pipeline that ingests untrusted external content (web, email, user uploads) into an agent with active plugins

Mitigation & Recommendations

1. Patch immediately — Apply the latest Semantic Kernel releases addressing CVE-2026-26030 and CVE-2026-25592
2. Validate tool parameters — Never trust LLM-generated parameters directly; enforce allowlists and schema validation at the plugin boundary
3. Sandbox execution environments — Isolate code-execution plugins (e.g., Python runners) in containers with no filesystem access to sensitive paths
4. Apply least privilege — Agent tools should have the minimum permissions required; avoid granting write access unless explicitly necessary
5. Monitor agent behaviour — Log all plugin invocations and flag anomalous tool call patterns for review
6. Treat external content as untrusted — Any data ingested from outside the trust boundary should be treated as potentially adversarial

References

• Microsoft Security Blog — When prompts become shells: RCE vulnerabilities in AI agent frameworks