On May 7, 2026, Microsoft's own security researchers published a blog post titled "When prompts become shells" — and the framework they were dissecting was Microsoft's. Two CVEs, both scored CVSS 9.9 (Critical), turn ordinary prompt injection into full remote code execution inside Semantic Kernel, the company's 27,000-star open-source agent framework used across enterprise Azure deployments. CVE-2026-26030 hits the Python SDK's InMemoryVectorStore filter through an eval() on a model-controlled lambda; CVE-2026-25592 breaks the .NET SDK's SessionsPythonPlugin sandbox via an unguarded DownloadFileAsync path-traversal. The researchers chained a benign user request through a malicious indexed document to launch calc.exe on the host. For every CIO and CISO who has wired an agent into a tool registry, the message is plain: prompt injection is no longer a content-safety problem. It is a code-execution primitive.

The disclosure lands in a hostile pattern. LangChain shipped patches for LangGrinch (CVE-2025-68664, CVSS 9.3) in December, exposing the same prompt-to-RCE pipeline through serialization. Flowise's CVE-2025-59528 (CVSS 10.0) is under active exploitation, with VulnCheck observing scans against 12,000–15,000 exposed instances. Forrester now sells its AEGIS framework — Agentic AI Enterprise Guardrails for Information Security — because every major framework has shown the same architectural flaw: when an LLM can call tools, the prompt is now reachable code. Gartner forecasts $244.2 billion in security spending in 2026, yet enterprises still spend 17x more on AI tooling than on securing it. This article unpacks the Semantic Kernel chain, places it alongside the LangChain and Flowise CVEs, and gives you a 25-point risk-assessment matrix plus a 15-item pre-deployment checklist you can run against any agent framework in production today.

What Changed: The Semantic Kernel Attack Chain

Microsoft's Security Response Center coordinated the disclosure with Semantic Kernel maintainers and pushed fixes before publishing the deep-dive. The two CVEs are independent but expose the same fundamental gap: AI-model-controlled values reaching a dangerous sink without sanitization.

CVE-2026-26030 — Python SDK, In-Memory Vector Store filter (CVSS 9.9 Critical)

• Affected: semantic-kernel Python package prior to 1.39.4
• Root cause: The default search filter is constructed as a Python lambda and run through eval(). The city value (and any string interpolated into the lambda) is supplied by the language model based on the user's natural-language query. There is no sanitization between the model's output and the eval() call.
• Impact: An attacker who can influence the model's tool-call arguments — including via indirect prompt injection from an indexed document — can execute arbitrary Python in the agent's host process.
• Weakness: CWE-94 (Code Injection), AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
• Disclosure timeline: Published Feb 19, 2026 in NVD; deep-dive write-up May 7, 2026 on the Microsoft Security Blog.

CVE-2026-25592 — .NET SDK, SessionsPythonPlugin sandbox escape (CVSS 9.9 Critical)

• Affected: Microsoft.SemanticKernel .NET SDK prior to 1.71.0
• Root cause: The plugin exposes DownloadFileAsync and UploadFileAsync as kernel functions, which means the model can call them with any filename. The download path is not validated for traversal sequences. An agent operating inside an Azure Container Apps dynamic session can therefore write files outside the sandbox onto the host that mounts the session — defeating the very isolation that justified using the plugin.
• Weakness: CWE-22 (Path Traversal), CVSS AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
• Exploit primitive: Drop a payload into the sandbox via Python execution, then DownloadFileAsync it to a host-writable path (autoruns, scheduled task, web server document root) → host-level RCE on the next privileged process.

The chained scenario Microsoft published: A retrieval-augmented agent ingests a vendor PDF. The PDF contains an indirect-injection payload that instructs the agent to query the in-memory store with a crafted city value. The lambda eval triggers Python code that calls into SessionsPythonPlugin to escape the sandbox and ultimately spawn calc.exe — Microsoft's chosen proof-of-execution. Replace calc.exe with a credential dumper, a webshell, or a token-grabber pointed at the agent's Azure Managed Identity, and the blast radius matches the agent's privilege envelope.

Fixes are available:

• pip install --upgrade semantic-kernel>=1.39.4
• dotnet add package Microsoft.SemanticKernel --version 1.71.0
• Reviewers should audit any custom plugin that exposes Function(), eval(), exec(), dynamic templating (Jinja2, Razor), or file/path APIs to the model.

This is not Microsoft alone. LangChain's LangGrinch (CVE-2025-68664, CVSS 9.3) is a serialization-injection in dumps() and dumpd() that lets an attacker steer an agent's structured output into a poisoned LangChain object — leaking environment variables and triggering Jinja2 RCE on deserialization. Patches landed in langchain-core 0.3.81 and 1.2.5. Flowise's CVE-2025-59528 (CVSS 10.0) passes user-supplied MCP configuration directly to the JavaScript Function() constructor — functionally identical to eval(). VulnCheck observed active exploitation by mid-April; 12,000–15,000 exposed Flowise instances remain unauthenticated by default.

Why This Matters: Dual-Audience Implications

The Semantic Kernel CVEs are not a Microsoft-specific bug. They are a category bug. Every framework that lets a model call tools — and that means LangChain, LlamaIndex, AutoGen, CrewAI, Flowise, Vercel AI SDK, and the hand-rolled agent loops shipping inside Salesforce Agentforce, Microsoft Agent 365, and Google Agentspace — sits in the same architectural shape: prompt → tool invocation → host process. If any link between those three drops sanitization, the prompt is now a shell.

Technical Implications (CIO / CTO / VP Engineering)

1. Your threat model is wrong if it stops at the LLM. Prompt injection ceased being a content-safety problem the moment we wired tools to models. Every plugin, every retriever, every memory store, every output parser is part of the attack surface. The Semantic Kernel eval() flaw demonstrates that even framework-provided defaults — code that ships from Microsoft, written by Azure architects — can carry classic 1990s code-injection sins.

2. Indirect prompt injection bypasses your existing controls. A user typing the malicious string is not the threat model. The threat model is a vendor PDF, a Confluence wiki page, a Salesforce note, or a GitHub README that the model retrieves through RAG. Your DLP, your WAF, your email gateway never see it. The OWASP LLM Top 10 places LLM01: Prompt Injection at the top because, as OWASP states, LLMs cannot currently distinguish between trusted instructions and untrusted content.

3. Sandboxes are not boundaries when the model holds the API. CVE-2026-25592 is the canonical example. Azure Container Apps' dynamic-session sandbox is well-designed in isolation, but exposing DownloadFileAsync as a kernel function gave the model a legitimate-looking API call that pivoted to host write. Any "sandbox" whose escape primitive is a kernel function the model can call is decorative.

4. Speed-of-fix is your real metric. Semantic Kernel ships breaking changes on near-monthly cadence; LangChain ships even faster. If your platform team takes a quarter to patch langchain-core, you are CVSS 9.3 exposed for ninety days. Your AI agent supply chain needs the same SLA discipline as your Linux base images — not the "we'll get to it next sprint" cadence many enterprise data-science teams currently use.

Business Implications (CFO / CMO / COO / GC)

1. Shadow AI breaches cost more. IBM's 2025 Cost of a Data Breach Report put shadow-AI breaches at $4.63 million on average — $670,000 above the global mean. An agent framework RCE on a model with Salesforce and SharePoint credentials is precisely the kind of breach that climbs that distribution.

2. Your insurer is already asking. Cyber insurers added "agentic AI inventory" questions to renewal questionnaires in Q1 2026. If you cannot enumerate which agent frameworks you run, at which versions, with which tools and credentials, expect either a higher premium or a denied claim.

3. Regulators are watching. The EU AI Act's high-risk obligations include security and robustness — and an RCE-chained prompt injection that exfiltrates personal data is a textbook Article 15 violation. NIST AI RMF 1.0 already treats prompt injection as a managed risk; auditors will increasingly expect documented controls.

4. Investor and board scrutiny is rising. Among CISOs surveyed in early 2026, 75.4% rate AI agents as a critical or significant security risk, 30.4% reported observing suspicious AI-agent activity in the past year, and 30.8% experienced unauthorized data exfiltration through SaaS-to-AI integrations. These numbers travel quickly into board decks.

Market Context: The Defensive Stack Forms

The vendor response in the first six months of 2026 says the market has clocked the risk:

• Forrester AEGIS Framework (April 2026) organizes agent security into six pillars — Governance / Risk / Compliance, Identity & Access, Data Security, Application Security & DevSecOps, Threat Management & SecOps, and Zero Trust — with a phased 12-month roadmap. Forrester's headline recommendation: start with governance before scaling agentic deployments.
• Snowflake Cortex AI Guardrails (May 1, 2026) ships a specialized LLM post-trained on adversarial prompt-injection patterns, runs parallel to the agent loop with no added latency, and is enabled by account-level configuration without infrastructure changes. The guardrail also monitors tool responses for malicious instructions returned to the model.
• Google's indirect prompt-injection warning (April 23, 2026) documented a 32% rise in IPI payloads across 2-3 billion crawled web pages, including PayPal and Stripe transaction templates designed to hijack autonomous browsing agents. Time-to-exploit collapsed from five months (2023) to ten hours (2026).
• Palo Alto Networks acquired Portkey to anchor its Prisma AIRS agent-security platform; Zscaler's Splx acquisition and IBM's Guardium AI follow the same pattern. AI Gateway and AI Posture Management are now Gartner-recognized categories.
• NIST AI RMF 1.0 and the EU AI Act Article 15 both require documented prompt-injection controls for high-risk deployments — which now describes virtually any autonomous customer-facing or financial agent.

Bessemer's agentic security thesis puts the underlying market dynamic crisply: 48% of cybersecurity professionals identify agentic AI as the single most dangerous attack vector, but enterprise spend on AI tools still outpaces AI security spend by 17:1 (Gartner). McKinsey's internal AI platform "Lilli" was compromised in under two hours during a controlled red-team exercise — a credible reminder that even AI-fluent organizations cannot rely on tradition alone.

Framework #1: 25-Point AI Agent Framework Risk Assessment

Use this matrix to score any agent framework — Semantic Kernel, LangChain, LlamaIndex, AutoGen, Flowise, Vercel AI SDK, or a hand-rolled in-house loop — across five dimensions. Each dimension is rated 1 (worst) to 5 (best). Score < 10: do not deploy to production. 10–14: low maturity, restrict to non-sensitive use cases. 15–19: medium, ship with compensating controls. 20–25: production-grade.

Dimension 1: Tool / Function Authorization Scope (1–5)

• 1 — Any tool the model knows about can be called with any argument.
• 3 — Tools are typed but no per-tool authorization or argument allowlist.
• 5 — Tools are typed, argument values are validated against allowlists / regex, and dangerous tools (file I/O, eval, shell, network) require explicit user re-confirmation.

Dimension 2: Input Boundary Enforcement (1–5)

• 1 — System, developer, user, and retrieved content all share the same context window with no markers.
• 3 — Retrieved content is wrapped in a tag but the model can still be steered by instructions inside it.
• 5 — Retrieved content is structurally segregated, runtime guardrails (Snowflake-style adversarial-injection classifier or equivalent) sit between retrieval and the model, and indirect-injection probes are part of pre-prod evals.

Dimension 3: Output Validation (1–5)

• 1 — The model's tool-call arguments and natural-language outputs are passed unchanged to eval() / exec() / Function() / Jinja2 / Razor.
• 3 — Outputs are JSON-schema-validated but values inside the schema are still trusted.
• 5 — Every model output that reaches a code-execution sink is parsed, schema-validated, value-allowlisted, and AST-scanned before execution. No eval() on model-derived strings.

Dimension 4: Sandbox / Identity Integrity (1–5)

• 1 — Agents run as the calling user's identity with the full credential set in process memory.
• 3 — Agents run under a dedicated service principal but with broad scope.
• 5 — Agents run under per-agent Managed Identities, scoped to least-agency (Forrester AEGIS) with just-in-time elevation; sandbox boundaries are kernel-enforced, not API-enforced; no kernel function ever exposes file-write or path-bearing primitives.

Dimension 5: Observability and Incident Response (1–5)

• 1 — No logging of prompts, retrievals, tool calls, or outputs.
• 3 — Prompts and outputs are logged but retrievals and tool arguments are not.
• 5 — Full traces (prompt + retrieved chunks + tool calls + arguments + outputs) flow to a SIEM with per-agent baselines; anomalous tool-call patterns trigger automated quarantine; red-team replays are part of CI.

Worked example — Semantic Kernel default deployment, pre-patch: Dim 1 = 2 (typed tools, no argument allowlist), Dim 2 = 2 (no structural segregation), Dim 3 = 1 (eval() on model lambda), Dim 4 = 2 (sandbox API-enforced), Dim 5 = 2 (limited tool-call traces). Total = 9 / 25 — do not deploy. Post-patch with arg validation, Snowflake-style guardrail, AST scan, Managed Identity scoping, and SIEM integration, the same deployment can reach 21+ / 25. The CVE was not the only problem; the scoring exposes the architectural debt.

Framework #2: 15-Item Pre-Deployment Security Checklist

Run this checklist before any agent enters production. Score: 13+ pass, 10–12 conditional, < 10 hold. Map to Forrester AEGIS pillars in parentheses.

Supply Chain (3 items)

1. Framework version and CVE inventory (GRC) — Pin agent framework versions in requirements.txt / csproj / package.json; subscribe to GHSA advisories for every framework; track patch lag against Microsoft's published SLA (currently ≤14 days for critical AI agent CVEs).
2. Tool registry inventory (GRC) — Maintain a per-agent registry of every tool, plugin, retriever, and connector with maintainer, version, license, and security review date.
3. Plugin code review (AppSec) — Manually audit any plugin that exposes file I/O, eval, dynamic templating, network egress, or credential APIs. Reject any plugin without a published security policy.

Runtime Controls (4 items)

4. Argument allowlists on dangerous tools (AppSec) — Filter, allowlist, or schema-validate every argument value reaching eval, exec, Function(), Jinja2/Razor, subprocess, os.system, file paths, SQL.
5. Structural prompt segregation (Data) — System, developer, retrieved content, and user input each carry distinct role labels and tokens; the model is fine-tuned or instructed to treat retrieved content as data, not instructions.
6. Adversarial-injection guardrail (ThreatMgmt) — A second model (Snowflake Cortex Guardrails, AWS Bedrock Guardrails, Azure Content Safety with Prompt Shields, or an in-house classifier) runs parallel to the agent loop on every prompt and every tool response.
7. Output AST / regex scan (AppSec) — Before any model output reaches a code-execution sink, parse it and reject patterns that include import os, __import__, eval, exec, shell metacharacters, path-traversal sequences, or markdown that resolves to outbound HTTP.

Identity and Sandboxing (3 items)

8. Per-agent Managed Identity (IAM) — Each agent has its own service principal with explicitly scoped permissions; no agent runs as a human user or shares credentials with other agents.
9. Just-in-time elevation (IAM) — Privileged actions (mass email, fund transfer, repo write) require either human-in-the-loop confirmation or a JIT token issued by a policy engine.
10. Kernel-enforced sandbox (ZeroTrust) — Code execution happens in an isolated VM / container with seccomp, capabilities dropped, network egress allowlisted, and no kernel function exposing file paths into the host.

Observability (3 items)

11. Full trace logging (ThreatMgmt) — Capture prompt, retrieved chunks, tool calls and arguments, tool outputs, and final response for every turn; route to SIEM with 90-day retention minimum.
12. Anomaly baselining (ThreatMgmt) — Establish per-agent tool-call frequency, argument-distribution, and credential-usage baselines; alert and auto-quarantine on deviation.
13. Incident response runbook (GRC) — Maintain a documented playbook for "agent compromise" with rotation of agent credentials, retrieval-index rollback, and customer notification thresholds.

Continuous Validation (2 items)

14. Red-team replay in CI (DevSecOps) — A library of indirect-injection payloads, including the Semantic Kernel and Flowise patterns, runs against every PR that modifies prompts, retrievers, or tool definitions.
15. Quarterly external assessment (GRC) — At least once per quarter, an outside red team probes the production deployment with current-state payloads. Findings drive a 30-day remediation cycle.

Case Study: Two Hours to Compromise

McKinsey's internal AI platform — codenamed "Lilli" — handles knowledge retrieval for the firm's consulting workforce and is deeply integrated with client engagement systems. In a controlled red-team exercise documented by Bessemer Venture Partners, an autonomous offensive agent gained broad system access in under two hours. The breach path did not depend on a zero-day; it exploited the very combination of trust, retrieval, and tool access that makes Lilli useful. The takeaway is not "McKinsey was negligent" — it is "even an AI-mature firm cannot ship agents safely without a defense-in-depth stack."

Compare that to Flowise in the wild. Within six weeks of the CVE-2025-59528 disclosure, VulnCheck observed scans across 12,000–15,000 exposed instances and confirmed exploitation from a single Starlink-routed IP. Most of those instances ran Flowise without authentication — a common deployment scenario for "internal tools." The lesson for enterprise buyers: any framework that exposes a builder UI on a routable port without auth-by-default is itself the supply-chain risk, regardless of what it was built to power.

The pattern across all three — Semantic Kernel, LangChain, Flowise — is identical. A model-controlled value reaches a dangerous sink because the framework's authors trusted the model. That trust is misplaced. LLMs are stochastic content generators, not access-control decision-makers. Treat every byte that crosses the LLM boundary as untrusted input, and the architecture changes.

What to Do About It

For CIOs and CISOs (next 30 days)

1. Inventory. Identify every agent framework version in production across business units. Map each to current CVE status. Patch Semantic Kernel to ≥1.39.4 (Python) and ≥1.71.0 (.NET) immediately; LangChain to ≥1.2.5 or ≥0.3.81; Flowise to ≥3.0.6 and enforce authentication.
2. Run the 25-point matrix against your top three agent deployments. Anything below 15 / 25 enters a remediation queue with executive ownership.
3. Deploy a runtime guardrail. If you live in Snowflake, enable Cortex AI Guardrails; on AWS, enable Bedrock Guardrails with Prompt Attacks filter; on Azure, enable Prompt Shields in Content Safety; otherwise stand up a classifier service (open-source Lakera Guard, PromptArmor, or fine-tuned internal model).
4. Mandate adversarial replay in CI for every agent repo. Block merges that fail.

For CFOs (next 60 days)

1. Rebalance the spend. If your AI security budget is below 5–10% of your AI platform spend, you are in the 17:1 cohort. Target 10–15% for the next two fiscal quarters.
2. Map agent failure to balance sheet. Model the cost of an RCE-chained breach using the IBM $4.63M shadow-AI baseline plus regulatory exposure (EU AI Act fines up to 7% of global turnover for prohibited or high-risk violations).
3. Renegotiate cyber insurance. Provide your agent inventory and patch SLAs proactively; insurers are pricing in agentic risk now, and the carriers most aggressive about it will offer the largest discounts to mature programs.

For Business / Operations Leaders (next 90 days)

1. Pause net-new autonomous-action agents until you can demonstrate ≥20 / 25 on the assessment matrix. Read-only / human-in-the-loop agents can continue.
2. Sponsor a cross-functional Agent Trust Council — Engineering, Security, Legal, Risk, and the business unit owner. AEGIS-aligned charters work well; Forrester's six pillars map cleanly to existing GRC structures.
3. Train your power users. Anyone deploying or modifying an agent — including no-code agent builders inside Salesforce Agentforce, Microsoft Copilot Studio, or Google Workspace Studio — needs a 60-minute baseline on indirect prompt injection, tool authorization, and what a compromised agent looks like.

The Semantic Kernel CVEs are the clearest signal yet that the agentic-AI gold rush has outrun its safety stack. Microsoft did the right thing — they shipped a patch and published an honest post-mortem on their own framework. The question is whether the rest of the industry — and your enterprise — will treat this as a turning point or as another inbox alert. The 60% of agent projects that will reach production-grade security in 2026 are the ones whose CISOs are running the matrix above today, not next quarter.

---

Continue Reading

• Web Pages Are Hijacking AI Agents — Google's IPI Warning
• Shadow AI Agents: 82% of Enterprises Have Unknown Agents
• Cognizant's Secure AI Services Bet: 88% Breach Rate Push
• Flowise CVSS 10.0 RCE: 12,000+ AI Agent Builders Exposed
• Anthropic Claude Security Public Beta Disrupts AppSec