AI Agent Framework Flaws Turn Prompt Injection Into Code Execution and Persistence
Microsoft disclosed two critical vulnerabilities in its Semantic Kernel AI agent framework that could let prompt injection escalate into host compromise. CVE-2026-26030 affected the Python implementation before version 1.39.4, where unsafe eval()-based lambda construction in the Search Plugin’s default In-Memory Vector Store filter path enabled remote code execution, while CVE-2026-25592 affected the .NET SDK before version 1.71.0 and allowed arbitrary file write through SessionsPythonPlugin’s DownloadFileAsync, creating a path to sandbox escape and host takeover; a related arbitrary file read issue was also present in upload handling. Microsoft said it hardened AST validation, restricted callable functions and attributes, removed unintended tool exposure, added path validation, and urged customers to patch and review endpoint telemetry for signs of exploitation.
The disclosure lands amid broader warnings that AI agents can preserve and amplify malicious instructions through memory and context reuse. Cisco researchers recently showed that poisoned memory files in Anthropic’s Claude Code could persist across projects and sessions, steering the assistant to insert hard-coded secrets, choose insecure packages and configurations, and spread tainted changes to another developer. Researchers and defenders say the incidents reinforce that AI models are not security boundaries and that any model-influenced tool parameter, memory file, or context artifact should be treated as attacker-controlled input, with mitigations including patching vulnerable frameworks, scanning memory and dependency files, and purging stored agent memory after suspected compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses and patches two Semantic Kernel RCE flaws
Microsoft disclosed two critical vulnerabilities in its Semantic Kernel AI agent framework: CVE-2026-26030 in the Python implementation before version 1.39.4 and CVE-2026-25592 in the .NET SDK before version 1.71.0. The flaws enabled remote code execution and arbitrary file write/read scenarios that could lead to sandbox escape and host compromise, and Microsoft released fixes including stricter validation, reduced tool exposure, and path checks.
Cisco researchers disclose Claude Code memory poisoning issue
Cisco researchers reported that poisoned memory files in Anthropic's Claude Code could persist malicious instructions across projects and sessions, enabling behavior manipulation such as inserting secrets into code, choosing insecure packages, and propagating changes to another developer. Anthropic mitigated the issue, and the disclosure highlighted AI memory/context files as a broader systemic weakness.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI Agent Session Smuggling and Code Interpreter Exploits in Enterprise AI Systems
A new attack technique called **agent session smuggling** has been identified, allowing malicious AI agents to exploit established cross-agent communication sessions to covertly inject instructions into victim agents. This method leverages the stateful nature of protocols like Agent2Agent (A2A), which are designed for persistent, context-aware conversations between AI agents. The attack does not exploit a vulnerability in the protocol itself, but rather abuses the implicit trust and memory features of stateful agent communication, enabling a rogue agent to manipulate a victim over multiple interactions. Mitigation strategies include human-in-the-loop enforcement, remote agent verification, and context-guarding mechanisms. Separately, a vulnerability in Anthropic’s Claude AI assistant was demonstrated, where attackers could exploit the code interpreter feature to exfiltrate sensitive enterprise data. By using indirect prompt injection, malicious instructions embedded in user-supplied content could trigger Claude to retrieve confidential information and upload it to attacker-controlled accounts via the platform’s own API, bypassing default network restrictions. The exploit highlights the risks of implicit trust and insufficiently restricted internal APIs in advanced AI systems, emphasizing the need for robust security controls around agent interactions and code execution features.
Mar 21, 2026
Prompt-injection RCE risks in agentic AI tools with OS and browser automation
Security researchers and CERT/CC reporting highlighted **critical prompt-injection-to-execution paths** in agentic AI systems where untrusted content can be interpreted as instructions and then executed via connected tools. In *ModelScope MS-Agent*, **CVE-2026-2256** (CVSS 9.8) was reported as a **command injection / RCE** issue tied to the framework’s “Shell tool,” where external input is not properly sanitized before being passed to OS command execution; a `check_safe()` denylist-based filter was described as bypassable via obfuscation/alternate syntax, enabling arbitrary command execution and potential full host compromise. Separate research from **Zenity Labs** described a broader class of **agentic AI browser** weaknesses (including Perplexity’s *Comet*) where attackers can hijack autonomous workflows using indirect prompt injection delivered through normal channels such as a **calendar invite**; prior to patches, this could drive the browser to access local files, read directories/files, and exfiltrate data, and in some cases leverage the agent’s existing authenticated context to interact with sensitive services (including password managers). A similar execution-model risk was reported in *Langflow*’s CSV Agent as **CVE-2026-27966** (CVSS 10.0), where `allow_dangerous_code=True` was hardcoded, enabling LangChain’s `python_repl_ast` tool and allowing remote attackers with chat access to coerce **server-side code execution** and full system compromise via prompt injection.
Apr 2, 2026
Prompt Injection Attacks Abuse AI Agent Memory and Link Previews for Manipulation and Data Exfiltration
Security researchers reported multiple **prompt-injection-driven attack paths** that exploit how AI assistants and agentic systems process untrusted content. Microsoft researchers described **AI recommendation/memory poisoning** (mapped in MITRE ATLAS as **`AML.T0080: Memory Poisoning`**) in which attackers insert instructions that cause an assistant to persistently “remember” certain companies, sites, or services as trusted or preferred, shaping future recommendations in later, unrelated conversations. Observed activity over a 60-day period included **50 distinct prompt samples** tied to **31 organizations across 14 industries**, with potential downstream impact in high-stakes domains like health, finance, and security where manipulated recommendations can mislead users without obvious signs of tampering. A separate finding highlighted how **AI agents embedded in messaging apps** can be coerced into leaking secrets via **malicious link previews**. PromptArmor demonstrated that an attacker can use chat-based prompt injection to trick an AI agent into generating an attacker-controlled URL that includes sensitive data (e.g., API keys) as parameters; when messaging platforms (e.g., Slack/Telegram) automatically fetch **link preview** metadata, the preview request can become a **zero-click exfiltration channel**—no user needs to click the link for the data-bearing request to be sent. Together, the reports underscore that agent features intended to improve usability—*persistent memory*, URL-based prompt prepopulation (e.g., “Summarize with AI” buttons), and automatic preview fetching—can be repurposed into scalable manipulation and data-loss mechanisms when untrusted prompts are processed implicitly.
Mar 21, 2026