CVE-2026-25592

CVE-2026-26030 (CWE-94, CVSS 9.9) is a code-injection flaw in the Python SDK's InMemoryVectorStore filter function. An f-string composes the LINQ-like filter expression directly from an LLM-controlled parameter rather than parameterising it; the SDK applies a blocklist validator that an attacker bypasses with the well-known __class__.__bases__[0].__subclasses__() class-hierarchy traversal pattern, escaping the validator and yielding os.system-equivalent execution on the host running the agent. Affected versions: Python SDK < 1.39.4. CVE-2026-25592 (CWE-22, CVSS 9.9) is a class-design flaw in the .NET SDK: SessionsPythonPlugin.DownloadFileAsync and SessionsPythonPlugin.UploadFileAsync carry a [KernelFunction] attribute that should not have been applied — the LLM can therefore call those methods directly with attacker-chosen path arguments, yielding an arbitrary file-write primitive that breaks containment from the Azure Container Apps Python sessions sandbox into the host filesystem of the agent process. Affected versions: .NET SDK < 1.71.0. Both issues require only that an attacker can inject prompt content the agent consumes (user input, retrieved RAG documents, tool outputs) and that the agent is using a default-configured Search Plugin or Sessions Python plugin (Microsoft Security Blog, 2026-05-07 · GitHub Security Advisory GHSA-xjw9-4gw8-4rqx, 2026-05-07 · GitHub Security Advisory GHSA-2ww3-72rp-wpp4, 2026-05-07).

A working PoC for CVE-2026-26030 is public in the amiteliahu/AIAgentCTF GitHub repository per Microsoft's research post; no in-the-wild exploitation has been reported. Patches: Python SDK ≥ 1.39.4 and .NET SDK ≥ 1.71.0 — note that the GitHub Security Advisory for CVE-2026-25592 records 1.39.3 as its minimum patched Python version, and 1.39.4 (the patched version for CVE-2026-26030) supersedes 1.39.3 and closes both CVEs. Microsoft characterises both flaws as systemic of agentic-AI patterns that "trust LLM-controlled parameters without explicit validation" — readers should expect analogous flaws in LangChain, CrewAI, AutoGen and other agent frameworks. Full deep dive in § 5.

• Patch first. Upgrade Python SDK to ≥ 1.39.4 and .NET SDK to ≥ 1.71.0. The patched releases also include the upstream test additions covering the bypass patterns.
• If immediate upgrade is blocked, implement a Function Invocation Filter (the SDK-supported hook documented in the Microsoft research post) to allowlist the methods and parameters that may be called. This neutralises the unintended-[KernelFunction] exposure on the .NET side and reduces the Python-side blast radius even if the validator is bypassed.
• Audit every [KernelFunction]-decorated method in your codebase for parameter types that are paths, file handles, raw strings later interpolated into code, SQL fragments, or URLs; remove the decorator from anything that does not need to be LLM-callable.
• Treat LLM-supplied inputs to filter / templating / dispatch as untrusted at the SDK boundary — the same bar as request-body validation on a REST endpoint. Allowlist parameter types, validate paths against canonicalised roots, parameterise filter expressions instead of interpolating them.
• Network segmentation around agent hosts. A Semantic Kernel agent host with read access to internal systems and outbound internet access is an obvious post-RCE pivot point; the agent process should run with the same network and credential constraints as any internet-exposed application server.