What happened
Crafted prompt manipulates Semantic Kernel's In-Memory Vector Store search plugin to execute arbitrary Python via eval() after bypassing the AST blocklist
2026-05-07
CriticalPrimaryPrompt injection in Microsoft Semantic Kernel enables remote code execution via AI model-controlled eval()
Microsoft Security disclosed two Semantic Kernel vulnerabilities (CVE-2026-25592, CVE-2026-26030) where prompt injection turns AI model outputs into host-level remote code execution via unsanitized eval().
Microsoft Semantic KernelTool execution / MCPPrompt injection to host-level RCE via AI framework eval()Any application built on Microsoft Semantic Kernel using the In-Memory Vector Store or affected plugin configurations
Why it matters
Host-level code execution with the privileges of the process running the AI agent; scope of exploitation in production environments not publicly confirmed
Missing authorization check
An independent validation layer between AI model tool-call outputs and code execution paths; signed receipts for any framework function that reaches eval() or equivalent dynamic execution
Would PP block it?
PP's authority model ensures that only pre-approved tool calls are executed against named resources. An agent running inside a PP-governed workflow would still be vulnerable to the framework-level RCE, but subsequent lateral movement — touching production resources, triggering deployments, or exfiltrating credentials — would require a signed receipt. The initial RCE requires a framework patch (v1.71.0), not a PP gate.
Incident analysis
Timeline and technical read
Timeline
2026-05-07
Microsoft Security publishes full disclosure of CVE-2026-25592 and CVE-2026-26030 in Semantic Kernel.
2026-05-07
Patch released in Semantic Kernel v1.71.0; customers advised to upgrade immediately.
2026-05-07
SecurityWeek covers the research; notes the issue extends to any framework that maps AI model outputs to system tools.
Technical breakdown
- CVE-2026-26030: In-Memory Vector Store default filter function uses Python eval() with AI model-controlled parameters, enabling injection via crafted city/field values.
- AST-based blocklist validator designed to prevent unsafe operations is bypassable through language flexibility — blocklists in dynamic languages are inherently fragile.
- CVE-2026-25592: A second Semantic Kernel vulnerability in the .NET SDK enables autonomous tool triggering by the AI model, creating an RCE path without a blocking authorization check.
- Microsoft's own research team discovered both issues — the framework vendor is also the security researcher, indicating the vulnerability class is non-obvious even to authors.
- With 27,000+ GitHub stars, Semantic Kernel is a foundational layer for enterprise AI agents — a single framework vulnerability carries systemic risk across many applications.
Authorization boundary
Where the authorization boundary should have been
This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Runtime Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
- If enforced at
- AI agent framework layer / plugin execution boundary
- Still needs
- PP does not currently validate AI framework-internal eval() or dynamic code execution paths
- Receipt required for
- Any tool call that reaches dynamic code execution; any plugin that accepts AI model-controlled parameters for data operations
PP can gate the downstream actions an agent is authorized to trigger (file reads, network calls, deployments). It does not currently patch framework-level eval() injection sinks.
Related incidents and controls
Start small
Put the relevant gate at this action boundary.
This incident maps to Runtime Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.