Two Vendor Postures on Agent-Framework RCE Just Drew the Procurement Line for 2026 Buyers
The major agent frameworks all met the same adversary class across the past six months: a prompt that crosses the boundary from content to code. Microsoft Semantic Kernel was the headline case, with two CVEs disclosed alongside a Microsoft Security Blog post on May 7, 2026 that walks through a single crafted prompt launching calc.exe on the host running the agent. LangChain met the same class of bug in December 2025, when CVE-2025-68664 and CVE-2025-68665 shipped with a CVSS 9.3 and a patch. Anthropic met it in April 2026, when OX Security disclosed an STDIO design flaw affecting roughly 200,000 MCP servers, and characterized the execution model as the protocol's intended trust contract.
Two of those three vendors treated the bug class as a patch target. One treated it as the protocol's intended trust contract. That difference is the procurement signal buyers signing 2026 agent-framework contracts have to read against vendor posture, and the public record on each vendor is now stable enough to do that reading.
Microsoft Semantic Kernel: Two CVEs, AST-Level Defense, and a Companion .NET Patch
CVE-2026-26030 is the more architecturally interesting of the two Semantic Kernel CVEs. The In-Memory Vector Store accepted custom filters as Python lambda expressions and executed them through eval() with user-influenced parameters interpolated. A hostile prompt steered the lookup parameter; eval() ran the attacker's code. The advisory rates it critical, classifies it as CWE-94 code injection, and lists the fix in semantic-kernel 1.39.4. The patch adds four defensive layers: an AST node-type allowlist, a function-call allowlist, a dangerous-attribute blocklist, and a name-node restriction that only permits the lambda parameter as a bare identifier, rejecting os, eval, type, and the rest of the standard escape vocabulary. The maintainer guidance is also explicit: "You should not let filters be set by untrusted sources, including by LLM inputs," and "avoid using InMemoryVectorStore for production scenarios."
CVE-2026-25592 is the .NET-side companion. The SessionsPythonPlugin exposed DownloadFileAsync and UploadFileAsync as kernel functions callable by the model, with insufficient input validation on localFilePath. CWE-22 path traversal yields arbitrary file write. The advisory also rates it critical. Fixed in Microsoft.SemanticKernel.Core 1.71.0, with an additional Function Invocation Filter inspecting localFilePath against an allowlist as the recommended defense-in-depth.
The detail buyers should hold onto is that patching is iterative; the first patch closes a known mechanism, and a follow-up patch is sometimes required as independent research catches up to design assumptions. Vendors who patch are signing up for that iteration cycle, in public, version by version. LangChain followed the same posture in December 2025 with a CVSS 9.3 serialization-injection patch in langchain-core, and Microsoft's Agent Governance Toolkit released in April 2026 extends a runtime-governance layer covering LangChain and Microsoft Agent Framework, treating cross-framework runtime control as a vendor responsibility rather than a customer one.
MCP STDIO: The Trust-Boundary Position
OX Security's audit of the Model Context Protocol surfaced an STDIO transport behavior that, per OX Security and VentureBeat's coverage, affects roughly 200,000 servers, with Tom's Hardware separately tallying over 150 million MCP SDK downloads as the broader exposure footprint, and additional coverage from The Hacker News and The Register. The reported behavior is that an MCP client launching a server over STDIO executes whatever binary the configuration file points at, in the user's context, with no protocol-level mediation between configuration write and code execution.
Anthropic's public stance, as reported by VentureBeat, is that it declined to modify the protocol; it characterizes STDIO's execution model as a secure default and treats input sanitization as the developer's responsibility. The trust boundary, in Anthropic's framing, sits with whoever controls the configuration file; configuration-write is authorized-execute by design. That position is consistent with the broader MCP shared-responsibility framing I unpacked in the MCP shared-responsibility model is broken and with the pattern I tracked across two frontier labs declining to patch agent-config behaviors five days apart.
There is a defensible architectural argument for the by-design posture. STDIO is a local subprocess transport; if an attacker can write the configuration file, the attacker already controls the user's account, and protocol-level checks would not change that calculus. Whether that argument matches a given buyer's threat model is a separate question; the relevant point for procurement is that the published vendor stance is "expected behavior," not "patch incoming."
The Pattern: Two Postures, Both With Architectural Arguments
The two postures are visible in the public record and stable enough to procure against. Microsoft and LangChain treated prompt-injection-to-code-execution as a vulnerability class to enumerate, number, and patch in version-controlled releases, with public advisories and AST-level defensive layers in the Semantic Kernel case. Anthropic treated the analogous behavior in MCP STDIO as the protocol's intended trust model, with the boundary explicitly placed at configuration-file control and the burden of validation on the integrating developer.
Each posture carries an internally consistent argument. The patch posture says the vendor is responsible for narrowing the blast radius of any model-driven function call, even when the trust boundary is technically the operator's; the iteration is the value, and the Microsoft narrative blog's recommendation is precisely that operators "upgrade immediately, and you don't need to rewrite your agent's architecture; the security updates simply remove the AI model's ability to trigger these functions autonomously." The by-design posture says the protocol's trust model is the contract; modifying the protocol to compensate for misconfiguration would invite a long tail of compensating controls that obscure where responsibility actually sits.
The buyer's job is matching posture to threat model, not picking the morally superior vendor. A team integrating an agent framework into an environment where untrusted developers can land code and configuration files in the deployment path will read the patch posture as continuous risk reduction. A team running a hardened single-tenant deployment with strict configuration-file custody will read the by-design posture as a clean contract that lets them place compensating controls where they actually belong.
What This Means For 2026 Procurement
The procurement document for an agent-framework selection should treat vendor posture as a first-class diligence row, not a footnote in the security questionnaire. The Five Eyes agentic AI procurement guidance gives the risk-class scaffold; the posture question lives one layer below it. Three concrete items to write into the diligence pack:
- Disclosed CVE history for the framework itself, with patch latency. Ask for every CVE issued against the framework or its first-party plugins in the last twelve months, the published-to-patched interval for each, and the public advisory URL. Microsoft Semantic Kernel and LangChain both have public patch histories; absence of CVEs is not absence of bugs, it is a posture signal in itself.
- Vendor stance on prompt-injection-to-tool-execution as a vulnerability class. Ask the vendor in writing whether it treats prompt-injection-driven invocation of registered tools as a vulnerability class subject to advisory and patch, or as expected behavior subject to operator validation. The answer is the procurement signal. Either answer is defensible; an evasive answer is not.
- SLA language tying patch latency to advisory severity. For vendors taking the patch posture, write a contractual patch-latency commitment for CVSS 9.0+ advisories on the framework or any first-party plugin. For vendors taking the by-design posture, write a contractual notification commitment for any architectural finding the vendor declines to patch, with the vendor's written rationale included as an addendum the buyer can route to internal architecture review.
The procurement implication is durable. Vendors who patch will keep patching, and the second and third patches will sometimes follow the first because architecture moves slower than research. Vendors who characterize a behavior as the protocol's intended trust contract do not start patching the declared-expected behavior on a later schedule; that posture is the contract. Buyers signing agent-framework contracts in 2026 should read the public posture as the durable variable and price their compensating controls against it.
