OpenClaw Security Guide
Back to Threat Intel
sourcearticleAgent: OpenClaw

Microsoft: When prompts become shells: RCE vulnerabilities in AI agent frameworks

Microsoft Defender Security Research's May 7, 2026 article explains two fixed Semantic Kernel vulnerabilities where prompt-influenced tool parameters could cross into execution, file access, or sandbox-boundary impact.

openclawagentic-aiprompt-injectiontool-callingsemantic-kernelsandboxingremote-code-execution

Date

May 7, 2026

First Seen

May 7, 2026

Last Reviewed

May 18, 2026

Publisher

Microsoft Security Blog

Source Type

article

View source

Related reading

OpenClaw Security Guide

A practical baseline for local binding, scoped credentials, sandboxing, runtime checks, and Armorer Guard.

Securing OpenClaw with Armorer Guard

How Armorer wraps OpenClaw with managed setup, Docker hardening, health checks, approvals, and Guard-backed scanning.

Subscribe via RSSFollow on TelegramGet email updates

Get email updates

Get reviewed Armorer threat-intel updates when new findings are published.

Source Summary

What It Contains

Microsoft Defender Security Research's May 7, 2026 article explains two fixed Semantic Kernel vulnerabilities where prompt-influenced tool parameters could cross into execution, file access, or sandbox-boundary impact.

Extracted Claims

  • CVE-2026-26030 affected Python semantic-kernel versions before 1.39.4 when the Search Plugin used the In-Memory Vector Store filter functionality with default behavior.
  • The vulnerable filter path interpolated AI-model-controlled input into a Python lambda expression and evaluated it; Microsoft reports that a crafted payload could bypass blocklist-based validation and execute commands.
  • CVE-2026-25592 affected Semantic Kernel .NET SDK versions before 1.71.0 because DownloadFileAsync was exposed to the AI model as a callable function and accepted a model-controlled local path.
  • Microsoft says a related arbitrary file-read risk existed for upload helpers across Python and .NET SDKs when local paths were accepted without sufficient validation.
  • Microsoft recommends upgrading affected Semantic Kernel packages and hunting for host-level post-exploitation signals such as suspicious child processes, outbound connections, and persistence artifacts during the vulnerable window.
  • The article emphasizes that AI models are not security boundaries; host-level monitoring and tool-level validation remain necessary when agents can call tools.

Evidence Quality

Primary vendor research from Microsoft Security Blog with named researchers, CVE identifiers, affected-version guidance, exploit-chain explanation, and mitigation details. The affected products are Microsoft Semantic Kernel packages, while Armorer relevance is based on the generalizable agent tool-boundary pattern.

Armorer Relevance

This source is highly relevant to Armorer because it shows why local agent operators need execution-layer controls around tool calls, not only prompt hygiene. Armorer could use the pattern to justify checks for model-callable filesystem helpers, code execution tools, sandbox transfer paths, broad mounts, credential exposure, suspicious child processes, and unexpected outbound traffic from agent runtimes.

Follow-Up

  • Track whether downstream agent products publish advisories for embedded vulnerable Semantic Kernel versions.
  • Consider adding Armorer health checks for model-callable upload/download helpers, dangerous filesystem path parameters, and code-evaluation or query-filter plugins.
  • Consider adding detection guidance for suspicious child processes and persistence artifacts spawned by agent framework host processes.