Microsoft Semantic Kernel Python SDK — prompt-injection-to-RCE via InMemoryVectorStore filter (CVSS 9.9)

The two Semantic Kernel CVEs are the highest-signal new CVE pair of the week even without confirmed in-the-wild exploitation: both flaws stem from a shared design weakness that an agent framework treats LLM-controlled values as input to executable abstractions without explicit validation at the boundary. The Python SDK flaw (CVE-2026-26030, CWE-94) interpolates an LLM-controlled parameter into the InMemoryVectorStore filter expression via f-string composition; a string-blocklist validator is bypassed by the canonical "".__class__.__bases__[0].__subclasses__() class-hierarchy traversal pattern, yielding subprocess.Popen-equivalent execution on the agent process's host. A public PoC exists in the amiteliahu/AIAgentCTF GitHub repository per Microsoft's research post. The .NET SDK flaw (CVE-2026-25592, CWE-22 effectively a sandbox-escape) ships a stray [KernelFunction] attribute on SessionsPythonPlugin.DownloadFileAsync and SessionsPythonPlugin.UploadFileAsync; the LLM can therefore invoke those methods with attacker-chosen path arguments, yielding an arbitrary file write that breaks containment from the Azure Container Apps Python sessions sandbox onto the agent process's host filesystem (Microsoft Security Blog, 2026-05-07 · GitHub GHSA-xjw9-4gw8-4rqx · GitHub GHSA-2ww3-72rp-wpp4 · daily 2026-05-10 deep dive).

Both flaws bypass prompt-side mitigations (output filtering, response classifiers, "let the LLM judge") because the dangerous operation occurs inside the SDK. The same class of bug is highly likely to exist in LangChain, CrewAI, AutoGen, Haystack, and LlamaIndex; defenders should not assume Semantic Kernel is uniquely affected. Patch path: Python SDK ≥ 1.39.4, .NET SDK ≥ 1.71.0; audit every [KernelFunction]-decorated method for parameter types that are paths, file handles, raw strings later interpolated into code, SQL fragments, or URLs, and remove the decorator from anything that does not need to be LLM-callable. ATT&CK: T1059.006 Python, T1611 Escape to Host, T1565.001, T1005 Data from Local System.

CVE-2026-26030 (CWE-94, CVSS 9.9) is a code-injection flaw in the Python SDK's InMemoryVectorStore filter function. An f-string composes the LINQ-like filter expression directly from an LLM-controlled parameter rather than parameterising it; the SDK applies a blocklist validator that an attacker bypasses with the well-known __class__.__bases__[0].__subclasses__() class-hierarchy traversal pattern, escaping the validator and yielding os.system-equivalent execution on the host running the agent. Affected versions: Python SDK < 1.39.4. CVE-2026-25592 (CWE-22, CVSS 9.9) is a class-design flaw in the .NET SDK: SessionsPythonPlugin.DownloadFileAsync and SessionsPythonPlugin.UploadFileAsync carry a [KernelFunction] attribute that should not have been applied — the LLM can therefore call those methods directly with attacker-chosen path arguments, yielding an arbitrary file-write primitive that breaks containment from the Azure Container Apps Python sessions sandbox into the host filesystem of the agent process. Affected versions: .NET SDK < 1.71.0. Both issues require only that an attacker can inject prompt content the agent consumes (user input, retrieved RAG documents, tool outputs) and that the agent is using a default-configured Search Plugin or Sessions Python plugin (Microsoft Security Blog, 2026-05-07 · GitHub Security Advisory GHSA-xjw9-4gw8-4rqx, 2026-05-07 · GitHub Security Advisory GHSA-2ww3-72rp-wpp4, 2026-05-07).

A working PoC for CVE-2026-26030 is public in the amiteliahu/AIAgentCTF GitHub repository per Microsoft's research post; no in-the-wild exploitation has been reported. Patches: Python SDK ≥ 1.39.4 and .NET SDK ≥ 1.71.0 — note that the GitHub Security Advisory for CVE-2026-25592 records 1.39.3 as its minimum patched Python version, and 1.39.4 (the patched version for CVE-2026-26030) supersedes 1.39.3 and closes both CVEs. Microsoft characterises both flaws as systemic of agentic-AI patterns that "trust LLM-controlled parameters without explicit validation" — readers should expect analogous flaws in LangChain, CrewAI, AutoGen and other agent frameworks. Full deep dive in § 5.

• Patch first. Upgrade Python SDK to ≥ 1.39.4 and .NET SDK to ≥ 1.71.0. The patched releases also include the upstream test additions covering the bypass patterns.
• If immediate upgrade is blocked, implement a Function Invocation Filter (the SDK-supported hook documented in the Microsoft research post) to allowlist the methods and parameters that may be called. This neutralises the unintended-[KernelFunction] exposure on the .NET side and reduces the Python-side blast radius even if the validator is bypassed.
• Audit every [KernelFunction]-decorated method in your codebase for parameter types that are paths, file handles, raw strings later interpolated into code, SQL fragments, or URLs; remove the decorator from anything that does not need to be LLM-callable.
• Treat LLM-supplied inputs to filter / templating / dispatch as untrusted at the SDK boundary — the same bar as request-body validation on a REST endpoint. Allowlist parameter types, validate paths against canonicalised roots, parameterise filter expressions instead of interpolating them.
• Network segmentation around agent hosts. A Semantic Kernel agent host with read access to internal systems and outbound internet access is an obvious post-RCE pivot point; the agent process should run with the same network and credential constraints as any internet-exposed application server.