Security: Critical RCE Flaws in Microsoft Semantic Kernel
Dillip Chowdary
Founder & AI Researcher
Microsoft has released emergency patches for two critical vulnerabilities in **Semantic Kernel**, its popular open-source SDK that allows developers to integrate LLMs with conventional programming languages. The flaws, tracked as **CVE-2026-25592** and **CVE-2026-26030**, could allow an attacker to achieve full **Remote Code Execution (RCE)** on the server hosting the AI agent.
The "Tool Manipulation" Vector
The vulnerabilities lie in how Semantic Kernel handles **Tool Calling**. In an agentic workflow, an LLM is given access to various "tools" (Python functions, API wrappers, or shell scripts) to accomplish a task. Security researchers discovered that by using a specially crafted prompt, an attacker could "trick" the kernel into executing arbitrary commands by bypassing the input validation layer. This is a form of **Prompt Injection-to-RCE**, where the linguistic ambiguity of the AI model is used to subvert the deterministic logic of the underlying system.
Technical Deep Dive
CVE-2026-25592 affects the **Handlebars** template engine integration, while CVE-2026-26030 relates to the **Python Function Calling** implementation. In both cases, the kernel failed to properly sanitize the parameters passed from the LLM to the host environment. An attacker could, for example, provide a prompt that causes the agent to include a malicious shell command inside a "search query" tool call, which the server would then execute with the privileges of the service account.
Mandatory Updates
Microsoft has categorized these flaws as "Important" to "Critical," with CVSS scores reaching **9.1**. All developers using Semantic Kernel are urged to update to the latest versions immediately:
- .NET: v1.18.0 or later
- Python: v0.9.8 or later
- Java: v1.4.2 or later
As we move deeper into the era of autonomous agents, these vulnerabilities highlight the inherent risks of giving AI models direct access to execution environments. The "sandbox" is no longer a luxury; it is a fundamental requirement for the safety of the agentic web.