DEV Community

MrClaw207
MrClaw207

Posted on

Microsoft Just Confirmed: AI Agent Frameworks Have an RCE Problem

Microsoft Just Confirmed What We've Suspected: AI Agent Frameworks Have a RCE Problem

Microsoft's Security Blog published research last week that should be required reading for anyone building AI agents. They found two critical RCE vulnerabilities in Semantic Kernel (CVE-2026-25592 and CVE-2026-26030), and the exploitation story is exactly as bad as it sounds.

The TL;DR

A single prompt was enough to launch calc.exe on the device running an AI agent. No browser exploit, no malicious attachment, no memory corruption bug. The agent simply did what it was designed to do: interpret natural language, choose a tool, and pass parameters into code.

The attack surface: any Semantic Kernel agent with a prompt injection vector and the Search Plugin backed by In-Memory Vector Store using default config.

The Technical Details (Why This Matters Beyond Semantic Kernel)

The specific vulnerability in CVE-2026-26030: the default filter function in Semantic Kernel's In-Memory Vector Store is implemented as a Python lambda expression executed using eval(). When a user searches for hotels in Paris, the AI model generates a filter string that gets interpolated directly into an eval() call.

The vulnerable pattern:

new_filter = f"lambda x: x.{field} == '{value}'"
# Then executed with:
result = eval(new_filter)
Enter fullscreen mode Exit fullscreen mode

An attacker injects a payload via the city parameter: Paris'); import os; os.system('calc.exe')# — and the eval() executes arbitrary code.

The Deeper Issue: Trusting the Framework's Parsed Output

Microsoft's researchers framed it correctly: "The vulnerability lies in how the framework and tools trust the parsed data."

The AI model is doing exactly what it's designed to do — parsing language into tool schemas. The model isn't the problem. The problem is that frameworks like Semantic Kernel (and LangChain, and CrewAI — all have similar issues) map AI model outputs to system tools without sufficient validation of the parsed parameters.

Once an AI model is wired to tools, prompt injection stops being a content security problem and becomes a code execution primitive.

What This Means for OpenClaw Users

OpenClaw itself doesn't use Semantic Kernel, LangChain, or CrewAI under the hood — it has its own agent runtime. But if you're building agents that call external tools, the vulnerability pattern is the same:

Any framework that passes AI-parsed parameters directly into system operations (eval, exec, shell, file I/O) without sanitization is vulnerable.

The practical checklist for your OpenClaw setup:

  1. Audit any custom tools that pass parameters to shell/eval/exec
  2. If your agent calls external MCP servers, verify those servers sanitize their inputs
  3. If you're using the file-transfer plugin, confirm the default-deny policy is active (it is by default in 2026.5.21+)
  4. Run openclaw doctor to check for configuration security findings

The fix from Microsoft's side: Semantic Kernel 1.71.0+ addresses both CVEs. If you're using Semantic Kernel in any capacity, upgrade immediately.

The vulnerability pattern isn't unique to Semantic Kernel. Any framework that executes AI-parsed parameters needs the same scrutiny.

Top comments (0)