There's a Second, Worse Semantic Kernel CVE, and It's Part of a Pattern

A few months ago I wrote about CVE-2026-25592, the CVSS 10 prompt injection bug in Microsoft's Semantic Kernel that let a malicious prompt reach code execution. At the time I treated it as a single, severe, but isolated incident — a framework had a hole, Microsoft patched it, lesson learned.

It wasn't isolated. Microsoft has now disclosed CVE-2026-26030, a second Semantic Kernel vulnerability, CVSS 9.9. And the pattern it's part of is bigger than one framework.

What's different this time

CVE-2026-25592 was about an agent being tricked into taking an action it had permission to take, just not in the way its developer intended. CVE-2026-26030, disclosed by Microsoft on 7 May 2026, is more direct: a single crafted prompt was enough to launch calc.exe on the host machine running the agent. Not "the agent did something unwise within its sandbox." Arbitrary code execution on the underlying host, triggered by text.

Microsoft's own writeup frames this as part of a wider class — "prompts become shells" — which is the more useful way to think about it than treating each CVE as a standalone patch note. The mechanism that turns a prompt into a shell command doesn't care that it happened to be Semantic Kernel.

It's not a Semantic Kernel problem. It's an agent-framework problem.

That's the part worth sitting with. Adversa AI's "TrustFall" research, also published this cycle, demonstrated a one-click RCE chain affecting Claude Code, Gemini CLI, Cursor CLI, and GitHub Copilot CLI: a malicious repo ships a .mcp.json plus a settings file that auto-trusts an attacker-controlled MCP server, and a single click on the editor's generic "trust this folder" prompt — the kind of click developers make dozens of times a week — spawns that server with full system privileges. A CI/CD variant needs no click at all. Same underlying failure mode as the Semantic Kernel bug: the boundary between "text/config the model or tool reads" and "commands the host will execute" is thinner than anyone building on top of these frameworks wants to admit.

Zoom out further and the picture gets worse. OX Security has now mapped 10 CVEs across the MCP ecosystem — a protocol with 150M+ downloads and, by their estimate, up to 200,000 exposed servers in the wild. They demonstrated RCE against six live production platforms, not lab conditions.

Three independent research efforts, three different angles (a Microsoft framework, a class of CLI coding agents, the MCP protocol layer itself), converging on the same conclusion: agentic AI's most common architectural pattern — let a model read untrusted text, then let that reasoning drive tool calls — has an injection-to-execution path that nobody has fully closed.

The readiness gap is the real story

Three confirmed, independently-sourced findings in one cycle — a framework-level RCE, a multi-vendor CLI agent exploit, and a protocol-wide CVE mapping — is not a "some companies are behind" picture. It's a market where the deployment curve is wildly outrunning the security curve, and the CVEs landing this year are the evidence, not the warning. CVE-2026-25592 was the warning. CVE-2026-26030, TrustFall, and the MCP findings are what happens when the warning gets ignored at industry scale.

What this means if you're actually running agents in production

If you read my last post and patched Semantic Kernel and considered the topic closed, it isn't. The fix for one CVE in one framework doesn't fix the architectural pattern that produced it. A few things worth actually doing:

• Treat every prompt-to-tool-call boundary as untrusted input, the same way you'd treat a web form field — not just the first hop, the whole chain. CVE-2026-26030 and TrustFall both broke at exactly this boundary.
• Audit your MCP server exposure. If you're running MCP servers reachable from anywhere other than a tightly scoped internal network, you're a candidate for the same RCE pattern OX Security demonstrated against six production platforms.
• Don't assume "it's a different framework" buys you safety. Four different CLI agents fell to the same TrustFall mechanism. The framework name on the box isn't the control that matters; the architecture underneath it is.
• Pressure-test before you scale, not after. With 71% of organisations admitting they're not ready to secure what they're about to deploy, the safe assumption is that your stack has an undiscovered version of this same problem right now.

This is exactly the gap an AI security audit is built to find — not "does your model behave," but "can untrusted input reach a shell, a file system, or a tool with real-world consequences."

The pattern, not the patch

CVE-2026-25592 taught the industry that Semantic Kernel had a flaw. CVE-2026-26030, alongside TrustFall and the MCP findings, teaches something less comfortable: the flaw was never really about Semantic Kernel. It's about an architecture that most agentic AI in production today shares. Patching the CVE in front of you is necessary. It is not the same thing as closing the gap.

If you're running agent frameworks, MCP servers, or CLI coding agents in anything resembling production right now, the question isn't whether you have a Semantic-Kernel-shaped problem. It's whether you've checked.