Microsoft Semantic Kernel's prompt-injection-to-RCE vulnerabilities.
On May 7, Microsoft disclosed two critical bugs in Semantic Kernel, its framework for building AI agents. CVE-2026-26030 (CVSS 9.8) in the Python SDK and CVE-2026-25592 (CVSS 10.0) in the .NET SDK both turn a single crafted prompt into host-level code execution.
The Python bug routed attacker-controlled vector store fields straight into eval(). The .NET bug exposed an internal file download helper as a callable kernel function with no path validation, letting a prompt-injected agent escape its sandbox by abusing DownloadFileAsync.
The mechanism in both cases is the same. Functions intended for the application were registered with the LLM as tools it could call directly. Once a prompt convinced the model to call them with the wrong arguments, the model executed them with whatever privileges the application had.
Prompt injection is often treated as a content problem, something to be filtered or rephrased. Once an LLM is wired to tools that touch the filesystem, the network, or a code interpreter, the prompt carries the privileges of whatever you registered.
The tool registry is the attack surface. What lives in it, and how tightly its arguments are validated, decides what a successful injection can actually do.
Related
SciPHR