Microsoft disclosed and patched two critical vulnerabilities in its Semantic Kernel AI agent framework on May 7, 2026. Both have been fixed. The technique they demonstrate matters for any team building agents that connect language models to tools.

CVE-2026-26030, scored CVSS 9.9, targeted the In-Memory Vector Store’s default search filter. The filter was implemented as a Python lambda expression executed through eval(). A crafted prompt could inject code into the filter parameter, breaking out of the lambda and achieving full remote code execution on the host machine. No browser exploit, no malicious attachment, no memory corruption required. According to Microsoft’s security blog, “a single prompt was enough to launch calc.exe on the device running our AI agent.”

The second vulnerability, CVE-2026-25592, targeted a different execution path in the same framework. Both have been patched in current Semantic Kernel releases.

The Attack Pattern

Microsoft built a demonstration using a hotel-finder agent to illustrate the exploit chain. The agent was configured with an In-Memory Vector collection storing hotel data and a search_hotels(city=...) function exposed to the model through tool calling.

When a user queried “Find hotels in Paris,” the model called the search plugin with city="Paris". The plugin ran a deterministic filter before computing vector similarity. That filter, by default, was constructed as a string: lambda x: x.city == 'Paris' and passed to Python’s eval().

The injection point: if an attacker controlled the city parameter through prompt injection (either directly or via content the agent retrieved from an external source), they could inject arbitrary Python code into the eval() call. The model wasn’t misbehaving. It was doing exactly what it was designed to do: parsing language into tool schemas and passing parameters to code. The vulnerability was in how the framework trusted the parsed data.

This is what Microsoft’s blog calls the real security story: “Once an AI model is wired to tools, prompt injection draws a thin line between being just a content security problem and becoming a code execution primitive.”

Production Relevance

Semantic Kernel has over 27,000 GitHub stars and serves as a foundational framework for enterprise AI agent development. The vulnerability class, prompt injection escalating through tool-use to system-level execution, applies broadly to any agent framework that bridges natural language input to code execution.

Security architect Arnav Sharma published a production security framework on May 13 that cites CVE-2026-26030 as a case study within a broader pattern. Sharma’s analysis references data showing prompt injection appeared in 73% of production AI deployments in 2025, a figure corroborated by Lexology’s coverage of the same research. That number covers production systems, not lab environments or red team exercises.

The underlying pattern has three properties that make agentic systems harder to secure than chatbots: persistent memory across sessions (where a single injection can compromise interactions for months), tool chaining across systems (where each API call is a lateral movement opportunity), and multi-agent orchestration (where a compromised sub-agent can poison upstream decisions).

Patching and Mitigation

Both vulnerabilities are fixed in current Semantic Kernel releases. Microsoft published the disclosure as the first in a planned research series on AI agent framework security, with upcoming posts covering vulnerabilities in frameworks beyond the Microsoft ecosystem.

For teams running agents on Semantic Kernel, the immediate action is to update to the latest release. For teams building on any framework that maps model outputs to tool calls, the architectural lesson is specific: never pass AI-influenced parameters to eval(), exec(), or equivalent dynamic execution functions. Treat every value coming from a language model as untrusted input, the same way web applications treat HTTP request parameters.

Microsoft’s framing is direct: “The AI model itself isn’t the issue as it’s behaving exactly as designed by parsing language into tool schemas. The vulnerability lies in how the framework and tools trust the parsed data.”