CVE-2026-26030 / CVE-2026-25592 — Microsoft Semantic Kernel: prompt-injection-to-RCE in the Python and .NET SDKs of Microsoft's AI agent orchestration framework (CVSS 9.9 each)

CVE-2026-26030 (CWE-94, CVSS 9.9) is a code-injection flaw in the Python SDK's InMemoryVectorStore filter function. An f-string composes the LINQ-like filter expression directly from an LLM-controlled parameter rather than parameterising it; the SDK applies a blocklist validator that an attacker bypasses with the well-known __class__.__bases__[0].__subclasses__() class-hierarchy traversal pattern, escaping the validator and yielding os.system-equivalent execution on the host running the agent. Affected versions: Python SDK < 1.39.4. CVE-2026-25592 (CWE-22, CVSS 9.9) is a class-design flaw in the .NET SDK: SessionsPythonPlugin.DownloadFileAsync and SessionsPythonPlugin.UploadFileAsync carry a [KernelFunction] attribute that should not have been applied — the LLM can therefore call those methods directly with attacker-chosen path arguments, yielding an arbitrary file-write primitive that breaks containment from the Azure Container Apps Python sessions sandbox into the host filesystem of the agent process. Affected versions: .NET SDK < 1.71.0. Both issues require only that an attacker can inject prompt content the agent consumes (user input, retrieved RAG documents, tool outputs) and that the agent is using a default-configured Search Plugin or Sessions Python plugin (Microsoft Security Blog, 2026-05-07 · GitHub Security Advisory GHSA-xjw9-4gw8-4rqx, 2026-05-07 · GitHub Security Advisory GHSA-2ww3-72rp-wpp4, 2026-05-07).

A working PoC for CVE-2026-26030 is public in the amiteliahu/AIAgentCTF GitHub repository per Microsoft's research post; no in-the-wild exploitation has been reported. Patches: Python SDK ≥ 1.39.4 and .NET SDK ≥ 1.71.0 — note that the GitHub Security Advisory for CVE-2026-25592 records 1.39.3 as its minimum patched Python version, and 1.39.4 (the patched version for CVE-2026-26030) supersedes 1.39.3 and closes both CVEs. Microsoft characterises both flaws as systemic of agentic-AI patterns that "trust LLM-controlled parameters without explicit validation" — readers should expect analogous flaws in LangChain, CrewAI, AutoGen and other agent frameworks. Full deep dive in § 5.