LIVE THREATS
HIGH Claude Mythos AI-Assisted Fuzzing Uncovers 423 Firefox Security Bugs in One Month // HIGH Fake Claude AI Site Used to Distribute Beagle Backdoor and PlugX Malware // HIGH Malicious Repos Trigger Silent Code Execution in Claude, Cursor, Gemini CLIs // HIGH Mitiga Labs: MCP Hijack Attack Steals Claude Code OAuth Tokens via Silent … // HIGH Pixel-Level Perturbations Enable Invisible Prompt Injection in Vision-Language Models // CRITICAL Prompt Injection Achieves Remote Code Execution in Semantic Kernel Agent Framework // HIGH Unmanaged AI Agents Expose Enterprise Identity Perimeters to Silent Compromise // CRITICAL Bleeding Llama Flaw Exposes 300,000 Ollama Servers to Unauthenticated Data Theft // MEDIUM CrowdStrike Researcher Details AI Jailbreaking and Data Poisoning Techniques // HIGH Mass Scan Reveals Widespread Authentication Failures Across Exposed AI Infrastructure //
ATLAS OWASP CRITICAL Active exploitation · Immediate action required LLM Security Prompt Injection Agentic AI Research RELEVANCE ▲ 9.2

Prompt Injection Achieves Remote Code Execution in Semantic Kernel Agent Framework

SOURCE Microsoft Security Blog ↗
TL;DR CRITICAL
  • What happened: Two Semantic Kernel CVEs let prompt injection trigger remote code execution via compromised agent plugins.
  • Who's at risk: Developers and enterprises building AI agent applications on Semantic Kernel, LangChain, or CrewAI are directly exposed due to systemic trust misplacement in framework tool-mapping layers.
  • Act now: Patch Semantic Kernel immediately and review CVE-2026-26030 and CVE-2026-25592 advisories · Audit all agent plugins/tools for untrusted input paths and enforce strict parameter validation · Apply least-privilege principles to agent tool permissions and sandbox code execution environments
Prompt Injection Achieves Remote Code Execution in Semantic Kernel Agent Framework

Overview

Microsoft’s Defender Security Research Team has disclosed two critical vulnerabilities in Semantic Kernel, one of the most widely adopted AI agent orchestration frameworks, revealing how prompt injection can escalate directly to remote code execution (RCE). The findings represent a landmark moment in AI security: vulnerabilities in the agentic layer are no longer theoretical content risks — they are live execution risks capable of granting attackers shell-level access.

The two CVEs — CVE-2026-26030 (In-Memory Vector Store) and CVE-2026-25592 (Arbitrary File Write via SessionsPythonPlugin) — were responsibly disclosed and patched before publication.

Technical Analysis

The root cause in both cases is a trust boundary failure between the LLM output layer and the plugin execution layer. AI agent frameworks parse natural language into structured tool call schemas. Semantic Kernel then maps these schemas directly to system-level operations — without sufficient validation that the parsed parameters are safe.

CVE-2026-26030 (In-Memory Vector Store): An attacker embedding adversarial content in data ingested by the vector store can manipulate retrieval results, injecting malicious tool parameters into the agent’s reasoning context. This allows the attacker to steer subsequent plugin calls with attacker-controlled values.

CVE-2026-25592 (Arbitrary File Write via SessionsPythonPlugin): The SessionsPythonPlugin, designed to allow agents to execute Python code, did not adequately sanitise file path parameters derived from LLM output. A crafted prompt injection payload could cause the agent to write attacker-controlled content to arbitrary filesystem paths, enabling a path traversal-to-RCE attack chain.

The attack chain is illustrative:

  1. Attacker embeds prompt injection payload in external content (e.g., a document, web page, or database record)
  2. Agent ingests and processes the content
  3. LLM parses the adversarial instruction and generates a tool call with attacker-controlled parameters
  4. Framework executes the tool without validating parameter provenance
  5. Arbitrary file write or code execution occurs

Framework Mapping

FrameworkCategoryRelevance
AML.T0051LLM Prompt InjectionCore attack vector
AML.T0043Craft Adversarial DataPayload crafting in ingested content
AML.T0047ML-Enabled Product or ServiceFramework-level systemic risk
LLM01Prompt InjectionDirect classification
LLM07Insecure Plugin DesignTrust failure in tool parameter handling
LLM08Excessive AgencyAgent acts on injected instructions without constraint
LLM02Insecure Output HandlingLLM output passed unsanitised to system calls

Impact Assessment

The systemic nature of this risk is what elevates severity to critical. Semantic Kernel, LangChain, and CrewAI collectively underpin thousands of enterprise AI applications. A vulnerability in the framework layer multiplies across every application built on top of it. Affected parties include:

  • Enterprise developers using Semantic Kernel to build document processing, coding, or data retrieval agents
  • Cloud-hosted AI services where agents have access to persistent storage or code execution environments
  • Any pipeline that ingests untrusted external content (web, email, user uploads) into an agent with active plugins

Mitigation & Recommendations

  1. Patch immediately — Apply the latest Semantic Kernel releases addressing CVE-2026-26030 and CVE-2026-25592
  2. Validate tool parameters — Never trust LLM-generated parameters directly; enforce allowlists and schema validation at the plugin boundary
  3. Sandbox execution environments — Isolate code-execution plugins (e.g., Python runners) in containers with no filesystem access to sensitive paths
  4. Apply least privilege — Agent tools should have the minimum permissions required; avoid granting write access unless explicitly necessary
  5. Monitor agent behaviour — Log all plugin invocations and flag anomalous tool call patterns for review
  6. Treat external content as untrusted — Any data ingested from outside the trust boundary should be treated as potentially adversarial

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.