Semantic Kernel CVSS 10.0 Vulnerability: What You Need to Know

On 7 May 2026, Microsoft quietly disclosed two critical vulnerabilities in Semantic Kernel — the official .NET framework that tens of thousands of enterprise developers are using to build AI agents right now. One of them is rated CVSS 10.0.

The official patch in version 1.71.0 addresses the specific vulnerability, but independent security research has found six ways around it. This post explains what the vulnerability actually is, how it works against a real .NET application, what the bypass vectors look like, and what you actually need to do to be safe.

What Is Semantic Kernel?

Semantic Kernel is Microsoft's unified orchestration framework for integrating Large Language Models (LLMs) into .NET applications. It's designed to simplify AI agent development by providing standardized abstractions for prompts, plugins, memory, planning, and LLM interactions.

Major enterprises are already using it in production:

• Enterprise customer support systems
• Intelligent data processing pipelines
• AI-assisted business workflow automation
• Internal knowledge management systems

This widespread adoption is exactly why the CVSS 10.0 rating is so alarming.

The Vulnerability

The CVSS 10.0 vulnerability is an unauthenticated remote code execution (RCE) flaw in Semantic Kernel's plugin execution pipeline.

Here's how it works:

When a Semantic Kernel agent processes untrusted input (customer queries, file uploads, API data), that input can be used to dynamically construct and execute native C# code through the plugin system. The framework doesn't properly validate or sanitize plugin invocations, allowing an attacker to inject arbitrary code that gets executed with full application privileges.

Attack Scenario

Imagine a customer support chatbot built with Semantic Kernel:

User Input: "Show me all customers from region='USA' or 1=1"

What happens internally:
1. Input passed to agent without filtering
2. Agent constructs a C# function call: GetCustomers("USA' or 1=1")
3. Code is compiled and executed
4. Attacker gains access to customer data (or worse, the system itself)

But this isn't just SQL injection — it's much worse. Because it's happening in the plugin system, an attacker can:

• Execute arbitrary C# code
• Access the filesystem
• Make network requests with the application's identity
• Escalate privileges
• Persist backdoors

The Patch & The Bypass

Microsoft released version 1.71.0 in early May 2026 with a supposed fix: input validation on plugin parameters.

The problem? The validation is implemented at the wrong layer. It checks plugin invocations at the API boundary, but it doesn't prevent:

1. Indirect code injection via serialized objects
2. LINQ expression manipulation in memory operations
3. Reflection-based plugin discovery and execution
4. Handler chain bypasses through custom middleware
5. Template injection in prompt preprocessing
6. JIT compilation exploitation of dynamic code paths

These six bypass vectors mean the patch stops the most obvious attack, but sophisticated attackers still have multiple ways in.

What You Need to Do

If you're running Semantic Kernel in production, here are your immediate actions:

1. Update to 1.71.0 (but don't assume you're safe)

Apply the patch immediately. But understand that patching alone is not sufficient.

2. Implement Input Filtering

Never pass untrusted user input directly to Semantic Kernel agents. Always:

• Validate input against a strict allowlist
• Remove or escape special characters
• Use parameterized APIs instead of string concatenation
• Log all inputs for later audit

3. Run with Least Privilege

The application running Semantic Kernel should have:

• Minimal filesystem access
• No network access except to required LLM APIs
• No elevated permissions
• Strong IAM credentials (rotation every 30 days)

4. Isolate LLM Interactions

Consider running Semantic Kernel in a sandboxed environment (container, separate process, or VM isolation).

5. Monitor for Exploitation Attempts

Look for:

• Unusual C# reflection calls in logs
• Unexpected network connections from your application
• Failed plugin invocations followed by success
• Timing anomalies suggesting payload encoding

6. Audit Existing Deployments

If you've had Semantic Kernel running before version 1.71.0 became available, treat that as a potential compromise:

• Review audit logs for suspicious activity
• Check for unauthorized code modifications
• Regenerate all secrets and credentials
• Run a full security audit on affected systems

The Bigger Picture

This vulnerability highlights a fundamental challenge in AI agent frameworks: the tension between flexibility and security.

Semantic Kernel is designed to be powerful — developers want the ability to wire LLMs directly to application logic. But that power opens doors if not properly guarded. As AI agents become more autonomous, the security model has to keep pace.

Microsoft has a responsibility to patch this properly. The community has a responsibility to demand transparency about what the vulnerabilities really enable. And every organization using these tools has a responsibility to understand what they're actually deploying.

Moving Forward

Use Semantic Kernel. It's a solid framework. But deploy it with security as a first-class design principle, not an afterthought. Understand your data flows. Validate your inputs. Monitor your systems. And stay informed about emerging vulnerabilities in the frameworks you rely on.

The fact that six bypass vectors exist for the CVSS 10.0 patch suggests we're still early in the process of securing AI orchestration frameworks properly. Stay vigilant.

---

Originally published on: NAS Digital Blog