CVE-2026-26030 + CVE-2026-25592 — Microsoft Semantic Kernel Python and .NET SDKs: a class-of-bug for agentic-AI frameworks

The two Semantic Kernel CVEs are the highest-signal new CVE pair of the week even without confirmed in-the-wild exploitation: both flaws stem from a shared design weakness that an agent framework treats LLM-controlled values as input to executable abstractions without explicit validation at the boundary. The Python SDK flaw (CVE-2026-26030, CWE-94) interpolates an LLM-controlled parameter into the InMemoryVectorStore filter expression via f-string composition; a string-blocklist validator is bypassed by the canonical "".__class__.__bases__[0].__subclasses__() class-hierarchy traversal pattern, yielding subprocess.Popen-equivalent execution on the agent process's host. A public PoC exists in the amiteliahu/AIAgentCTF GitHub repository per Microsoft's research post. The .NET SDK flaw (CVE-2026-25592, CWE-22 effectively a sandbox-escape) ships a stray [KernelFunction] attribute on SessionsPythonPlugin.DownloadFileAsync and SessionsPythonPlugin.UploadFileAsync; the LLM can therefore invoke those methods with attacker-chosen path arguments, yielding an arbitrary file write that breaks containment from the Azure Container Apps Python sessions sandbox onto the agent process's host filesystem (Microsoft Security Blog, 2026-05-07 · GitHub GHSA-xjw9-4gw8-4rqx · GitHub GHSA-2ww3-72rp-wpp4 · daily 2026-05-10 deep dive).

Both flaws bypass prompt-side mitigations (output filtering, response classifiers, "let the LLM judge") because the dangerous operation occurs inside the SDK. The same class of bug is highly likely to exist in LangChain, CrewAI, AutoGen, Haystack, and LlamaIndex; defenders should not assume Semantic Kernel is uniquely affected. Patch path: Python SDK ≥ 1.39.4, .NET SDK ≥ 1.71.0; audit every [KernelFunction]-decorated method for parameter types that are paths, file handles, raw strings later interpolated into code, SQL fragments, or URLs, and remove the decorator from anything that does not need to be LLM-callable. ATT&CK: T1059.006 Python, T1611 Escape to Host, T1565.001, T1005 Data from Local System.