Microsoft discloses prompt-injection flaws that let agents run hostile code
← News Posts
NewsNews Post

Microsoft discloses prompt-injection flaws that let agents run hostile code

Microsoft has [disclosed two vulnerabilities in its Semantic Kernel agent framework](https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/) that turned prompts into shells. CVE-2026-26030 allowed remote code execution through the in-memory vector store, and CVE-2026-25592 enabled arbitrary file writes via the SessionsPythonPlugin. The demonstration is the part worth briefing upward: a single injected prompt could execute code on the host running the agent, including launching arbitrary programs. Root causes were ordinary engineering sins given new reach by agents, unsafe eval-style string interpolation and over-exposed tool functions without path validation. Patches are available, with fixes in Python semantic-kernel 1.39.4 and later and .NET 1.71.0 and later. Teams running agent frameworks should confirm versions now. The architectural lesson outlasts the patch. Microsoft's own framing belongs in every agentic AI risk register: your LLM is not a security boundary. Anything an agent can touch through its tools must treat tool parameters as attacker-controlled input, because a poisoned document or webpage is all it takes to supply them.

Tags

NewsSecurity
Discuss this on X (@TheAICommand)

TheAICommand. Intelligence, At Your Command.

← Back to News Posts

Read next

Zurich Bahnhofstrasse Banking Dusk

Build 2026 makes agents first-class citizens of the Microsoft stack

Microsoft used [Build 2026](https://blogs.microsoft.com/blog/2026/06/02/microsoft-build-2026-be-yourself-at-work/) to make agents first-class citizens of its stack, and the governance tooling arrived alongside the capability for once. Microsoft IQ, a context layer spanning Work IQ, Fabric IQ, Foundry IQ and Web IQ, is generally available across GitHub Copilot, Foundry and Copilot Studio, grounding agents in Microsoft 365 data through APIs that go live on 16 June. Microsoft Execution Containers enter preview as OS-enforced sandboxes that contain what an agent can touch, and ASSERT plus the Agent Control Specification are open-sourced for standardised agent safety evaluation. The headline for compliance teams is Agent 365: Entra, Defender and Purview extended into a unified control plane where agents get identities, security posture and compliance treatment the way employees do. The framing to take into your next architecture discussion: Microsoft is now assuming organisations will run fleets of agents, and is selling the management layer. If your AI governance still models one user prompting one chatbot, the vendor roadmap has already moved past your risk register.

Read more
Lighthouse Cape Byron NSW

OAIC survey finds trust in AI companies has collapsed to 4 per cent

The Office of the Australian Information Commissioner has released its triennial [Australian Community Attitudes to Privacy Survey](https://www.oaic.gov.au/news/media-centre/australians-more-concerned-about-privacy-as-trust-in-ai-languishes,-survey-finds), and the AI numbers are stark. Just 4 per cent of Australians trust AI companies. Only social media platforms rank lower, at 3 per cent. The broader trend is sharpening: 87 per cent of respondents are more concerned about privacy than five years ago, and privacy complaints to the OAIC are up 73 per cent this financial year to date. The survey was run by the Social Research Centre in March 2026 with 1,511 nationally representative adults. Privacy Commissioner Carly Kind noted that "wariness of emerging technologies is increasing, particularly in terms of fairness, accountability and the practical ability to exercise rights." The number worth building strategy on: 68 per cent would be more likely to use digital services if they knew data was handled fairly and responsibly. For any team deploying AI on customer or employee data, the complaint pathway is not a side process. It is part of the control environment, and now a measurable trust asset.

Read more
Lisbon 25 De Abril Bridge Dusk

Mistral puts frontier-class weights on four GPUs with Medium 3.5

Mistral has released [Medium 3.5](https://mistral.ai/news/vibe-remote-agents-mistral-medium-3-5/), a 128 billion parameter dense model with a 256k context window that folds instruction-following, reasoning and coding into a single set of weights. It posts 77.6 per cent on SWE-Bench Verified and 91.4 on the agentic telecom benchmark. Two release details matter more than the benchmarks. The weights are open, [published on Hugging Face](https://huggingface.co/mistralai/Mistral-Medium-3.5-128B) under a modified MIT licence that permits commercial use with carve-outs for high-revenue companies. And the model self-hosts on as few as four GPUs, with API pricing at $1.50 per million input tokens and $7.50 output for those who would rather not. The release also ships Vibe remote agents, asynchronous sandboxed cloud coding sessions that integrate with GitHub, Jira and Slack. For regulated Australian entities weighing data residency, APRA-style vendor concentration questions and exit strategies, a frontier-class model that runs inside your own perimeter is no longer hypothetical. The procurement conversation has a new comparison point.

Read more