SecurityWhen Microsoft’s Defender research team disclosed two remote code execution vulnerabilities in Semantic Kernel this week, CVE-2026-25592 and CVE-2026-26030, the finding had a specific weight that individual CVE counts do not capture. This was not an outside researcher pointing at someone else’s code. This was the security organization at the company building and shipping enterprise AI agent infrastructure discovering that its own framework allows prompt injection to escalate to remote code execution. If the team with the deepest resources to get AI security right produced this class of vulnerability in its own product, the problem is not a resource failure. It is a systematic one.
Seven other AI agent frameworks disclosed the same class of vulnerability in the same week. That figure is the thing to hold onto.
Gemini CLI has a workspace trust bypass: opening a project directory containing a malicious configuration file triggers code execution, no user interaction required beyond the act of opening the project. Paperclip exposes OS command injection via its cleanupCommand and provisionCommand fields; any agent-controlled cleanup script that reaches the shell unsanitized executes with the agent’s privileges. PPTAgent calls Python’s eval() directly on LLM-generated code with builtins in scope, which is not sandboxing, it is delegation. Evolver passes LLM-extracted parameters into execSync() without validation. OpenClaw loads setup-api.js from the working directory, trusting whatever file happens to be present. LangChain’s unsafe deserialization via overly broad load() allowlists (CVE-2026-44843) adds the orchestration layer itself to the list.
These are not the same product. They do not share a library. They do not share a vendor. What they share is an assumption: that output from a language model, or arguments supplied to an agent through a tool-use interface, can be treated as data rather than as untrusted instructions that may reach privileged execution.
In security engineering, this assumption has a name. It is the same assumption that produced SQL injection in the 1990s. A developer building a database query treats user-supplied input as part of the query string because conceptually it is just a name, a search term, a value. The database does not make that distinction. Neither does a shell.
The difference is that SQL injection affected databases. Agent-controlled inputs reaching shell execution affect everything an agent has permission to touch.
The vm2 Punctuation
The Node.js sandbox library vm2, embedded in CI/CD pipelines and LLM tool-execution runtimes as the mechanism that allows “safe” code execution by agents, disclosed three separate sandbox escape paths this week: a Module._load() bypass (CVE-2026-43999, CVSS 9.9), an unconditional require() bypass when nesting is enabled (CVE-2026-44007, CVSS 9.1), and a require.root path restriction bypass via symlink traversal (CVE-2026-43998, CVSS 8.5). Three independent researchers finding three distinct escape paths in one library during one week is not a patch backlog. It is an architectural signal.
vm2’s escape surface follows from JavaScript’s prototype chain and module system. Any replacement built on the same foundations inherits the same surface. The “sandboxed execution” claim that enterprise buyers receive when they evaluate agent tooling platforms is, in some of these deployments, a marketing characterization rather than a verified security boundary. The vm2 escapes this week are what happens when the characterization gets tested.
The Disclosure Velocity Problem
W19 had four AI agent frameworks disclosing RCE-class vulnerabilities. W20 doubled that count to eight-plus. Security researchers have identified the vulnerability class and are conducting systematic audits of LLM orchestration tooling. That auditing is ongoing.
AutoGen, LangGraph, and CrewAI have not appeared in this disclosure cycle yet. The reason is not that they are architecturally different; their input handling patterns suggest the same exposure surface. The reason is that researchers have not published findings on them yet. Expect W21 to change that.
The disclosure-to-weaponization window for AI tool CVEs from W18 ran to ten to thirteen hours. The organizational patch cycle for AI agent frameworks, which often sit outside formal software asset management and run in developer environments rather than production servers, is considerably longer than that.
What the Ecosystem Built Trust On
Open WebUI disclosed six vulnerabilities simultaneously this week, including an LDAP empty-password authentication bypass (CVE-2026-44551, CVSS 9.1), Redis cross-instance cache poisoning (CVE-2026-44552, CVSS 8.7), and RAG knowledge base poisoning via unauthorized collection overwrite (CVE-2026-44554). Six distinct vulnerabilities disclosed simultaneously from one platform indicates a coordinated security audit, not independent discovery. LiteLLM, the AI proxy layer sitting between enterprise applications and upstream LLM APIs, received a CVSS 9.8 SQL injection (CVE-2026-42208) added to the CISA Known Exploited Vulnerabilities catalog May 8 with confirmed active exploitation against financial services and healthcare infrastructure. The Cline AI coding assistant disclosed a cross-origin WebSocket hijacking (CVE-2026-44211, CVSS 9.6) that allows any website a developer visits to silently connect to the Cline server running on localhost and exfiltrate workspace paths, git branch data, and AI agent chat messages in real time.
These are not model vulnerabilities. Nobody is attacking the weights. What is under sustained exploitation is the trust infrastructure that surrounds the models: the proxies, the orchestration UIs, the IDE extensions, the CLI wrappers. The perimeter that enterprise teams built to evaluate model safety does not address whether the plumbing between the model and the rest of the environment is architecturally sound.
Where This Goes
The disclosure rate will stay elevated into W21 and beyond. Researchers have found a productive vulnerability class in a target-rich environment, and the auditing is methodical. The count of affected frameworks will grow before it plateaus.
Patching individual CVEs is necessary and insufficient. Semantic Kernel to .NET 1.71.0 and Python 1.39.4, langchain-core to 0.3.85: do it. But no patch changes the architectural condition that makes this class of vulnerability reproducible across eight platforms in a week. The condition is that LLM outputs and tool arguments are reaching shell execution, eval(), and privileged filesystem operations without a validation gate. That is a design decision, not a coding error, and it is widespread enough to be considered an industry default.
The defender’s audit question is not “which frameworks on this CVE list are we running.” It is: in every AI agent deployment we operate, can agent-controlled inputs, whether user-supplied tool arguments, retrieved document content, or model-generated file paths, reach a privileged execution context without passing through a validation boundary? If the answer requires checking, the answer is probably yes.
For any AI tooling vendor whose security documentation does not explicitly address LLM output as untrusted input, treat that absence as a finding. The vendors that built this assumption into their architecture have not necessarily documented it as a design decision. The CVE list this week is the documentation.
Security Unlocked publishes weekly threat intelligence and strategic analysis. This post is based on intelligence collected May 4-10, 2026.