AI Agent RCE Flaws in Semantic Kernel Explained

Introduction

AI agents are changing enterprise application design, but they also introduce a new execution risk. Microsoft Defender Security Research has detailed how prompt injection in AI agent frameworks can move beyond content manipulation and become host-level remote code execution (RCE) when tools and plugins trust model-generated parameters.

For security teams and developers using agent frameworks, this is an important reminder: once an LLM can call tools, weaknesses in framework logic can directly affect the underlying system.

What’s new

Microsoft disclosed two critical vulnerabilities in the open-source Semantic Kernel framework:

• CVE-2026-26030: An RCE path involving the In-Memory Vector Store when used with the Search Plugin in its default configuration
• CVE-2026-25592: An arbitrary file write issue through SessionsPythonPlugin

According to Microsoft, both vulnerabilities have been fixed.

The most notable finding is that exploitation did not require a browser exploit, malicious attachment, or memory corruption bug. In the demonstrated scenario, a single prompt injection was enough to influence tool parameters and trigger code execution on the host.

Why the issue occurred

The research highlights a broader design problem in AI agent frameworks:

• Agents interpret natural language and map it to tool calls
• Frameworks often trust parsed model output too much
• Unsafe parameter handling can create execution sinks
• Blocklist-based protections can be bypassed in dynamic languages like Python

In the Semantic Kernel case, Microsoft researchers found unsafe string interpolation in a Python lambda expression executed with eval(), combined with a validator that could be bypassed.

Impact on IT and security teams

Organizations experimenting with AI agents, copilots, or custom LLM apps should treat this as a framework security issue, not just an AI safety issue.

Potential exposure is highest where:

• Semantic Kernel is used in production or internal apps
• Agents can access plugins, scripts, files, or data stores
• Prompt injection is possible through user input, documents, or connected content sources
• Default Search Plugin and In-Memory Vector Store configurations are in use

This research also has implications beyond Semantic Kernel. Many teams use frameworks such as LangChain, CrewAI, or similar orchestration layers, and the same trust model concerns may apply.

Recommended next steps

Security and platform teams should:

• Patch affected Semantic Kernel deployments immediately
• Inventory AI agents and plugins that can execute code, read files, or access sensitive systems
• Review tool-calling paths for unsafe deserialization, interpolation, or dynamic execution patterns
• Harden prompt injection defenses and assume hostile input can reach agent tools
• Audit logs and telemetry for suspicious plugin invocations or unexpected process execution
• Reduce agent privileges so successful prompt injection cannot easily lead to system compromise

Bottom line

Microsoft’s research shows that in agentic applications, prompt injection can become an execution primitive when frameworks and tools over-trust model output. For defenders, the priority is clear: patch vulnerable frameworks, review plugin design, and apply least privilege before AI agents become a new RCE surface.