When Prompts Become Shells: RCE Vulnerabilities in AI Agent Frameworks
Microsoft Security Blog, Thursday, May 7th, 2026
Researchers discovered critical vulnerabilities in AI agent frameworks like Semantic Kernel that enable remote code execution through prompt injection attacks.
Microsoft Security researchers identified two critical vulnerabilities (CVE-2026-25592 and CVE-2026-26030) in the Semantic Kernel AI agent framework that could allow attackers to achieve remote code execution through prompt injection.
These vulnerabilities exploit how AI agent frameworks map model outputs to system tools, turning natural language prompts into executable code. The research demonstrates how a simple prompt injection can launch arbitrary commands on a device running an AI agent.
Microsoft is launching a research series to identify similar vulnerabilities in popular AI agent frameworks and working with maintainers through responsible disclosure to address these issues before public disclosure.