The Intake — Sunday, May 10, 2026

Three members of the Microsoft Defender Security Research Team published a technical disclosure on May 7: Uri Oren, Amit Eliahu, and Dor Edry. The disclosure covers two RCE vulnerabilities in Microsoft's Semantic Kernel agent framework. The post frames itself as "the first in an ongoing series" of AI agent framework security research across multiple frameworks.

The first vulnerability, CVE-2026-26030, is in the Python SDK. It carries a CVSS score of 9.8 and is patched in version 1.39.4 and above. The InMemoryVectorStore component constructed its default filter as a Python lambda executed via eval(). The AI model-controlled search parameter was interpolated into that lambda without sanitization. A custom AST-based blocklist was in place but was bypassed. A single crafted prompt to an agent using the Search Plugin was sufficient. Host-level code execution followed.

The second vulnerability, CVE-2026-25592, is in the .NET SDK. It is patched in version 1.71.0 and above. The DownloadFileAsync function in the SessionsPythonPlugin was accidentally marked [KernelFunction]. That marking exposed the function to the AI model as a callable tool. No path validation was applied to the destination parameter. An attacker using prompt injection could chain DownloadFileAsync with ExecuteCode to write arbitrary payloads to host filesystem paths. The Windows Startup folder is among the named destinations.

The post title — "Prompts Become Shells" — names the vulnerability class both CVEs share. The team's announced series will test whether that pattern holds across other AI agent frameworks.